Provisioning SAML 2.0 SSO for a Neeve Organization

  • Published on May 7, 2026
  • 1 minute(s) read
Prev Next

Provisioning SAML 2.0 SSO for a Neeve Organization

Neeve supports SAML 2.0-based SSO for organizations. SSO setup is a two-part configuration:

  1. Neeve Portal → Identity Provider

    • Neeve generates:

      • ACS URL

      • Entity ID URL

  2. Identity Provider → Neeve Portal

    • The IdP is configured with Neeve’s ACS URL and Entity ID.

    • The IdP then provides metadata back to Neeve.

    • Neeve uses that metadata to complete the SSO handshake.

Authentication is handled by the customer’s IdP. Authorization is still handled by Neeve Portal, so users must exist in both the IdP and Neeve Portal.

Common Troubleshooting

User is not redirected to the IdP

Check:

  • The user’s email domain matches the domain configured in Neeve Portal.

  • SSO is enabled.

  • The provider configuration is not still in draft mode.

User authenticates successfully but cannot access Neeve

Check:

  • The user exists in Neeve Portal.

  • The user has the correct Neeve authorization or role.

  • The user exists in the IdP.

  • The user is assigned to the SAML application or required IdP group.

Login fails after IdP authentication

Check the SAML attribute mapping.

Most likely issue:

email

The attribute name must match exactly and is case-sensitive.

User is prompted for MFA unexpectedly

Neeve Portal MFA should be bypassed for SSO users. If MFA appears, check:

  • Whether the login is actually going through SSO.

  • Whether MFA is being enforced by the IdP.

  • Whether the user’s domain matches the SSO-configured domain.

User cannot log in after SSO is disabled

This is a known limitation for users created during the SSO period.

Workaround:

  • Re-invite the affected user from Neeve Portal so they can set a password.