How to set up SAML SSO with your identity provider
Use SAML (Security Assertion Markup Language) single sign-on (SSO) to let users log in to Calendly with your identity provider (IdP) — the external service that manages your company's user credentials. SAML SSO makes signing in faster, more secure, and easier to manage.
For example, you can:
- Let users access Calendly through any SAML-based provider, such as:
- Help IT and security teams manage users more easily.
Calendly supports the SAML 2.0 protocol and works with most enterprise IdPs. You can follow these steps for any IdP — even if it's not listed above.
Before you begin
- You must be a Calendly Owner or Admin.
- Use the same email address in Calendly and your IdP.
- Open Calendly and your IdP in two browser tabs for easier setup.
- Calendly doesn't support Just-in-Time (JIT) provisioning — the method where user accounts are created automatically the first time a user signs in through SAML SSO. Use SCIM (System for Cross-domain Identity Management) instead to manage users.
Configure SAML SSO in Calendly
Enter your IdP info in Calendly
- In Calendly, go to Admin center > Login > Single sign-on.
- Under Step 1, enter the following info from your IdP:
IdP setting
Calendly field
Required?
Notes
Issuer or Entity ID
Entity ID
Yes
Also called “Issuer URL” or “Issuer ID”
SSO URL
Identity provider's SAML HTTP Request URL
Yes
Also called “Login URL” or “SAML 2.0 Endpoint”
x.509 certificate
X.509 certificate for SAML authentication
Yes
Must be in PEM format
- Choose Save & continue.
Configure your identity provider
Add these Calendly values in your IdP settings
IdP setting | Value | Required? | Notes |
Audience | Calendly’s Audience URL | Yes | May also be called “Entity ID” |
ACS URL | Calendly’s ACS URL | Yes | Also known as “Reply URL” or “Callback URL” |
Recipient/Destination | Calendly’s ACS URL | Yes | Some IdPs fill this in automatically |
Request Binding |
| Yes | May be shown as “POST” |
Default Relay State | Calendly’s Default Relay State | Yes if using IdP-initiated login | Needed to log in from your IdP dashboard |
Assertion Signature | SHA256 | Yes | Required |
Response Signature | SHA256 | No | Optional |
Encrypted Assertion | Not supported | No | Calendly doesn't support this |
Name ID | User’s email address | Yes | Must match Calendly email |
Name ID Format |
| Yes | Use either option |
Set attribute mappings
Add these exact attribute names in your IdP:
Name | Required? | Description |
| Yes | User’s main email address |
| Yes | User’s first name |
| Yes | User’s last name |
Assign user access
Update your IdP rules so the right people can access Calendly.
Test the connection
- In Calendly, turn on Enable SSO for yourself. This activates SAML SSO only for your own admin account so you can verify the connection before applying it organization-wide.
- Select Test connection.
- If the test works, you'll see a success banner.
- If it fails, check that:
- The user's IdP email matches their Calendly email.
- The attributes in your IdP are mapped correctly.
Enforce SSO for your organization
- In your IdP, assign the Calendly app to all users.
- In Calendly, select Enforce SAML SSO for my organization, then choose Apply.
Note: Enforcing SAML SSO logs out everyone in the organization. They must sign in using SAML SSO. The org Owner can still log in with their original method (such as Google OAuth or email and password) by choosing Log in using another method.