Single Sign On - SAML

note: SAML SSO is available for free for customers on Business and Enterprise plans. Other plans can add-on SSO with an additional $50/month fee.

Single sign on (SSO) offers Raygun users a way to sign in & authenticate using third-party providers to suit your organisation.

Raygun currently supports two types of SSO, SAML & Basic.

We support the SAML2 (Security Assertion Markup Language) standard for authenticating users and logging them into the application.


To get your plan integrated with Raygun SAML SSO, head to the SAML Single Sign On (SSO) page within the Plan Settings area.

Adavanced SSO controls found on plan setting SSO screen

From here, you will be given a set of instructions to follow:

  1. Add details from your identity provider to Raygun - Add your identified SSO URL and certifcate
  2. Configure SSO settings in your identity provider - Add configurations within your identity provider to complete the connection between our systems and your chosen identity provider

When signing in using SSO you will be redirected to your identity provider (e.g. G-Suite), where you may need to complete additional steps (e.g. selecting the authenticating account) before being redirected back to Raygun. Continue reading our documentation on how to configure the additional pieces based on your chosen provider.

Once integration has been completed, users can log in to Raygun using SSO by either using the "Sign in with SSO" link from the sign in page or by using the custom endpoint that we will have supplied for you during the integration process (the Entity ID).

If you have two-factor authentication applied to your account, you will still need to supply an authentication token before completing the authentication process.


Raygun requires additional configuration for the follow providers -


If you are looking to configure with OKTA, you will need to set up a custom OKTA SSO app.

Once that is complete, there are also some specific "Advanced settings" that need to be changed from the defaults.

Under the "Show Advanced Settings", you'll need to assign these fields with the following values -

  • Response = Unsigned
  • Assertion Signature = Signed
  • Authentication context class = Unspecified

If you are configuring with JumpCloud, you will need to have the "Sign assertion" checkbox ticked within their Single Sign On configuration options within their Jumpcloud application.


If you are configuring with ADFS, to find the endpoint URL in a provided XML file, open the XML file in an IDE and auto-format it. Copy the Location property value of this element:

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"Location="https://adfs.[company_name].com/adfs/ls/"/>

If you are configuring with Azure Active Directory/Microsoft Entra ID, you will need the following settings applied in your app -

  • Unique User ID: user.userprinciplename
  • Sign SAML assertion only (do not sign response)
  • Have ADFS installed to support SAML2.

If you are configuring with G-suite, G-Suite already signs the assertions, ensure that the checkbox in G-Suite is not check for "Signed response". This will sign the whole response, which will make it incompatiable with Raygun.


Currently, we support auto provisioning users. As long as the identity provider has specified the particular users have access to Raygun via their identity provider.

For customers using SSO, a Raygun account will be automatically created when signing in via your identity provider for the first time. The account used will be associated with their SSO credentials as we match both account emails after they log in. This is so that we have an identical record on our end to assign user activities with.

For de-provisioning users from the system, you can either contact us to delete the Raygun user account, or remove the team member from the user's team in your Raygun account. Ensure that the user no longer has access to Raygun within the identity provider as well.


If you wish to disable SSO without removing the creditials, simply click 'Disable' in the top right of the SSO page. To re-enable SSO, click the 'Enable' button in the top right of the SSO page.


If you would like to ensure all users on your team must authenticate through your single sign on provider, you can apply this policy to your account via the SSO set up page.

First, ensure that everyone on your plan can successfully authenticate via SSO. Doing so will ensure users are not locked out of their account when SSO is enforced.

Once the above is validated, toggle the 'Enforce for all team members' button on the SSO page and confirm the action. This policy will be applied immediately to the organization.

If you get locked out, don't hesistate to reach out to us via our contact us page.


To delete the SSO configuration from the system, simply click the 'Delete' button and confirm the action. This will be applied immediately.


  • It's common for a certificate to expire. Ensure that your certificate is up to date by updating it via the form provided.
  • The certificate should be base 64 encoded and will contain a -----BEGIN CERTIFICATE----- line and a -----END CERTIFICATE----- which is required on our end
  • If you require a Signature Verification Certificate, please contact us.

Other standard reasons for being rejected are:

  • The message was not signed with the public key we have on file
  • The user is not associated with the organization in Raygun
  • The user does not exist in our system
  • The response message did not contain an email address

note: If during the set up of SSO, you get locked out and are unsure what steps to take, don't hesistate to reach out to us via our contact us page.