What you need before starting
- Admin access to your identity provider (Okta, Azure AD, Google Workspace, JumpCloud, or any SAML 2.0-compatible IdP)
- Owner role in your Probo organization
- The email domain your team uses (for example,
acme.com)
Configure SAML in Probo
Add a SAML configuration
Click Add SAML configuration and enter the following fields from your identity provider:
| Field | Description |
|---|---|
| Email domain | The domain Probo uses to route SSO logins (e.g. acme.com). |
| IdP entity ID | The unique identifier of your identity provider, found in your IdP’s metadata. |
| IdP SSO URL | The URL Probo redirects users to for authentication. |
| IdP certificate | The X.509 public certificate your IdP uses to sign SAML assertions. Paste the full PEM-encoded certificate. |
| Auto-signup | When enabled, new users whose email matches your domain are created automatically on first SSO login. When disabled, users must be pre-provisioned. |
Configure your identity provider
Probo exposes the following endpoints to configure in your IdP:
Download or copy the Probo SP metadata from Settings → Security → Single Sign-On to import directly into your IdP.
| Setting | Value |
|---|---|
| ACS (callback) URL | https://app.getprobo.com/api/connect/v1/saml/2.0/consume |
| Metadata URL | https://app.getprobo.com/api/connect/v1/saml/2.0/metadata |
| Entity ID | https://app.getprobo.com/api/connect/v1/saml/2.0/metadata |
| Name ID format | Email address |
Configure attribute mappings
Probo reads the following attributes from the SAML assertion to set up or update a user’s profile:
You can override these mappings in the Attribute mappings section if your IdP uses different attribute names.
| Probo attribute | Default SAML attribute | Description |
|---|---|---|
email | User’s email address | |
| First name | firstName | Given name |
| Last name | lastName | Family name |
| Role | role | Probo role to assign (OWNER, ADMIN, EMPLOYEE, VIEWER, AUDITOR) |
Test the connection
Before enforcing SSO for all users, test the configuration:
- Copy the Test login URL shown in the SAML configuration detail page.
- Open the URL in a private browser window.
- Complete the SSO flow through your IdP.
- Confirm you land back in Probo without errors.
Set the enforcement policy
Once the connection is working, choose how SSO is enforced:
Update the policy in Settings → Security → Single Sign-On → Edit.
| Policy | Behaviour |
|---|---|
| Off | SSO is disabled. Users must sign in with email and password. |
| Optional | Users can sign in with SSO or with their password. |
| Required | All users on this domain must sign in through SSO. Password login is blocked. |
Domain verification
When you add an email domain to your SAML configuration, Probo generates a verification token. Adding a DNS TXT record with this token to your domain proves you control it. You can find the verification token in Settings → Security → Single Sign-On → your configuration → Domain verification.How users sign in
Once SSO is configured, users can sign in in two ways:- Go to
https://app.getprobo.com, enter their work email, and Probo redirects them to your IdP automatically. - Use a direct link from your IdP’s application launcher (IdP-initiated SSO is supported).
Role assignment via SAML
If your IdP sends arole attribute in the SAML assertion, Probo uses it to assign or update the user’s role on each login. The value must match one of the Probo role identifiers: OWNER, ADMIN, EMPLOYEE, VIEWER, or AUDITOR.
If no role attribute is present, new users are assigned the EMPLOYEE role by default.
Role assignment via SAML does not apply to users provisioned by SCIM. SCIM-sourced profiles are managed by your identity provider.
Deleting a SAML configuration
To remove a SAML configuration, navigate to Settings → Security → Single Sign-On, open the configuration, and click Delete. Users on that domain will no longer be able to use SSO until a new configuration is added.SCIM provisioning
Automate user creation and deprovisioning alongside SSO.
Roles and permissions
Learn what each role can do in Probo.