Setting Up Single Sign-On (SSO) for Granola

This guide walks you through configuring SAML-based Single Sign-On with Granola. We support all major identity providers including Okta, Microsoft Entra ID (formerly Azure AD), and others.

Overview

To complete SSO setup, you’ll need to:

Create a SAML application in your identity provider using the credentials we’ve provided
Configure the required attribute statements
Send us your IdP Metadata URL

Your SSO Credentials

We’ve provided the following values in our email. You’ll need these when configuring your identity provider:

SP Entity ID (also called “Audience URI” or “Identifier”) - A unique identifier for Granola’s SAML configuration
ACS URL (Assertion Consumer Service URL, also called “Reply URL” or “Single Sign-On URL”) - The URL where your identity provider sends authentication responses

Configuration Instructions

Okta
Microsoft Entra ID

Create the SAML Application

Log in to your Okta Admin dashboard
Go to Applications → Create App Integration
Select SAML 2.0 and click Next
Enter a name (e.g., “Granola”) and click Next
In the Configure SAML step:
- Set Single Sign-On URL to the ACS URL we provided
- Set Audience URI (SP Entity ID) to the SP Entity ID we provided
Click Next, and then Finish

Configure Attribute Statements

You should now be on the Sign On tab for your app. Scroll down to the Attribute Statements section and click Show legacy configuration, then add the following mappings:

Name	Value
`id`	`user.id`
`email`	`user.email`
`firstName`	`user.firstName`
`lastName`	`user.lastName`

For all of these, you can leave Name format as “Unspecified”. Please note these are case-sensitive.Group Attribute Statements: Add a group attribute statement with name groups and filter “Matches regex”: .* Click Save on the attribute statements.

Get the Metadata URL

Make sure you’re still on the Sign On tab
Under SAML 2.0 > Metadata details, click Copy on the Metadata URL

Send us this URL and we’ll complete the setup. You can now go to the Assignments tab and start to assign users/groups to the app.

Create the SAML Application

Log in to the Entra ID Admin Center
Go to Enterprise Applications → New Application
Select Create your own application
Enter a name (e.g., “Granola”), select “Integrate any other application you don’t find in the gallery (Non-gallery)”, then click Create
Select Single Sign-On from the Manage section in the left sidebar, then select SAML
Click Edit in the Basic SAML Configuration section:
- Set Identifier (Entity ID) to the SP Entity ID we provided
- Set Reply URL (Assertion Consumer Service URL) to the ACS URL we provided

Configure Attribute Statements

Click the Edit icon in the “Attributes & Claims” section and ensure the following mappings are configured:

Claim name	Source attribute
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`	`user.mail`
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`	`user.givenname`
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`	`user.userprincipalname`
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`	`user.surname`

When editing claims, make sure the Namespace value ends in /claims.Group Claims (Optional): To sync group memberships, select Add a group claim from the top menu, choose which groups to return (e.g., “Groups assigned to the application”), and click Save.

Assign Users

Select Users and groups from the sidebar to assign users and groups to the application.

Get the Metadata URL

Select Single Sign-On from the sidebar
Scroll to Section 3: SAML Signing Certificate
Copy the App Federation Metadata URL

Send us this URL and we’ll complete the setup.

What Happens Next

Once you send us the Metadata URL, we’ll verify the configuration and enable SSO for your workspace. After that, users with matching email domains will be prompted to sign in via SSO.

Troubleshooting

Verify users are assigned to the SAML application in your identity provider
Check that the email addresses in your IdP match the email domain configured for SSO

Attribute errors

Ensure all required attribute statements are configured exactly as shown above
For Entra ID, verify the claim names match what Granola expects

Need help?

Just reply to our email with details about your setup and any error messages you’re seeing - we’re happy to help!

​Setting Up Single Sign-On (SSO) for Granola

​Overview

​Your SSO Credentials

​Configuration Instructions

​Create the SAML Application

​Configure Attribute Statements

​Get the Metadata URL

​Create the SAML Application

​Configure Attribute Statements

​Assign Users

​Get the Metadata URL

​What Happens Next

​Troubleshooting

​Users can’t sign in

​Attribute errors

​Need help?

Setting Up Single Sign-On (SSO) for Granola

Overview

Your SSO Credentials

Configuration Instructions

Create the SAML Application

Configure Attribute Statements

Get the Metadata URL

Create the SAML Application

Configure Attribute Statements

Assign Users

Get the Metadata URL

What Happens Next

Troubleshooting

Users can’t sign in

Attribute errors

Need help?