Skip to main content
Use this guide to connect a company identity provider to Refero with SAML 2.0. Refero acts as the service provider (SP). Your identity provider, such as Okta, Microsoft Entra ID, Google Workspace, or OneLogin, acts as the identity provider (IdP).
Refero provides organization-specific SAML URLs during setup. Do not reuse SAML URLs from another workspace.

Prerequisites

  • A Refero Team or enterprise workspace
  • Admin access to your identity provider
  • The company email domain to enable for SSO

Setup flow

  1. Your IT team creates a SAML application for Refero in your identity provider.
  2. Refero gives you the app-specific ACS URL and Entity ID.
  3. Your IT team sends Refero your IdP metadata.
  4. Refero enables SSO and provisioning for your company domain.

SAML configuration

SettingValue
Sign-in URLhttps://refero.design
ACS URL / Reply URLhttps://api.refero.design/auth/saml/{organization_sso_id}/acs
Audience URI / Entity ID / Identifierhttps://api.refero.design/auth/saml/{organization_sso_id}/metadata
Signature algorithmRSA-SHA256
Digest algorithmSHA256
Name ID / Unique IdentifierEmail address

User attributes

Send these attributes when available: 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Refero uses the user’s email address as the unique identifier.

What Refero needs from you

ItemNotes
SSO domainThe company email domain to allow, such as company.com
IdP metadataMetadata URL preferred; XML metadata file also works
Provisioning preferenceWhether setup/admin users should be created manually or through JIT provisioning

Provisioning

Provisioning means creating the user’s Refero account and adding them to the correct workspace. Refero supports JIT provisioning. When enabled, users from an approved company domain are created automatically after their first successful SSO sign-in. For setup and testing, some teams use a dedicated IT admin account, such as it.admin@company.com. Refero can either add that account manually before testing, or let SSO/JIT create it on first login.

Security notes

The ACS URL, Entity ID, and algorithms are configuration values, not passwords. They are safe to share with your IT team. Keep customer-specific setup values out of public documentation:
  • organization-specific SAML IDs
  • IdP Metadata URLs or XML metadata files
  • SAML certificates
  • confidential customer domains