The short answer: Configure an identity provider (IDP) in Command Center to enable SAML-based single sign-on (SSO) for all users on your Proof domain.
Single Sign-On (SSO) lets users log in to multiple applications using a single set of credentials. With SSO, account and credential management is handled by your identity provider (IDP), not by Proof.
Setting up SSO is part of a multi-step process. Click a link below to review that step, or read the domain-based SSO overview, which explains what to expect once the process is complete.
- Verify your domain
- Set up single sign-on in your Proof account → You are here
- Set up SAML configurations with your identity provider for SSO
What You Need
Configuring SSO is bidirectional: the SP metadata must be configured in the IDP, and the IDP metadata must be configured in the SP. You need both of the following:
- A Proof-verified domain (see Verify your domain for instructions)
- A metadata file (.xml) from your identity provider
Metadata file options:
Option A (most common): Download a metadata file (.xml) from your Identity Provider (IDP). Common guides:
Option B: If you cannot download a metadata file from your IDP, you will need the following details manually:
- Entity ID
- X509 public certificate
- Single sign-on (SSO) URL
- SSO request binding
- [Optional] Single log-out (SLO) URL and request binding
Set Up SSO
New to Command Center? Here's how to access it.
- Click Security from the left menu.
- Select Identity providers.
- Click Configure new identity provider in the upper right corner.
- Type an internal name for your configuration.
- This can be any name you choose — many admins align it with the name of their IDP.
- Select a method for providing your metadata.
- XML file: Drag and drop or click to upload the metadata file (.xml) from your IDP.
- Manual entry: Provide the required fields from your IDP, including: Entity ID, X509 public certificate, SSO URL, SSO request binding, and optionally Single Log-Out (SLO) details.
- Click Process.
- Review the configuration in detail:
- Confirm at least one certificate is visible and in the Active state.
- If you or your metadata provided an SLO URL, SLO will be enabled — when a user logs out of their identity provider, they will also be logged out of Proof.
- You can delete and replace the metadata file or edit configuration details if anything needs to be changed.
- Click Save.
- Your SAML configuration is not yet active — no users will be impacted at this stage.
- Proceed to the next section to activate.
Activate Your SAML Configuration
To activate this SAML configuration, connect it to a verified domain.
- Select Details and Policies for the domain you'd like to update.
- Click Edit.
- Select the configuration you created from the dropdown.
- Review the configuration details, including JIT provisioning, routing logic for new users, and whether users will retain password access.
- Click Save.
Once saved, the SSO configuration will be live and applied to all users on the Proof platform with your domain.
Summary Checklist
- Verify your domain in Command Center (Verify your domain).
- Obtain a metadata file (.xml) from your identity provider, or gather Entity ID, X509 certificate, and SSO URL.
- In Command Center, go to Security → Identity providers and click Configure new identity provider.
- Upload your metadata file or enter your IDP details manually, then click Process.
- Review the certificate status and click Save.
- Under Details and Policies for your domain, select the new configuration and save to activate SSO.
Still Unsure?
Our support team is happy to help. Submit a support request or chat with us from any page in the app.
Updated