Single Sign-On (SSO) allows your team members to securely access PageCrawl using your organization's identity provider, such as Azure AD, Google Workspace, Okta, or OneLogin.

Requirements

To use SAML SSO, your team must meet the following requirements:

• Enterprise Plan subscription with a quantity of 2 or more seats
• Corporate email domain - The team owner must use a verified corporate email address (free email providers like Gmail, Yahoo, Outlook, and iCloud are not supported)
• Identity Provider that supports SAML 2.0 standard
• Early Access - SSO is currently available to select customers only. Contact support to enroll in the SSO early access program.

How to Configure SAML SSO

1. Access SSO Settings

Navigate to Settings → Team → Single Sign-On (SSO) in your PageCrawl account. You must be a team administrator to access these settings.

When you first access the SSO settings page, PageCrawl automatically generates a unique identifier (UUID) and creates an initial SSO configuration for your team. This UUID is immediately available and used to create your Entity ID and Metadata URL.

2. Get Service Provider Information

Before configuring your Identity Provider, copy the Metadata URL displayed in the blue information box at the top of the SSO settings page.

The URL will look like: https://pagecrawl.io/sso/saml/abc-123-def-456/metadata

Important: Copy the actual URL shown in PageCrawl, not this example.

Most Identity Providers can automatically import all necessary configuration (Entity ID, ACS URL, Logout URL, etc.) from this metadata URL.

Note: If your IdP requires manual entry, the individual URLs are also displayed in the same box:

• Reply URL (Assertion Consumer Service URL)
• Sign on URL
• Logout URL

3. Configure Your Identity Provider

Follow the instructions in our Identity Provider Setup Guide for your specific IdP (Azure AD, Google Workspace, Okta, etc.).

You'll need to create a SAML application in your IdP and provide the ACS URL and Entity ID from step 2.

4. Import Identity Provider Metadata into PageCrawl

You have three options to configure your IdP:

Option A: Metadata URL (Recommended)

• Enter your IdP's metadata URL
• Click "Parse Metadata from URL"
• PageCrawl will automatically extract all required settings

Option B: Metadata XML

• Copy your IdP's metadata XML
• Paste it into the metadata XML field
• Click "Parse Metadata XML"

Option C: Manual Entry

• Manually enter Entity ID, SSO URL, SLO URL, and X.509 Certificate
• This option is useful for custom configurations

5. Enable SSO Features

Configure the following settings based on your needs:

Enable SSO

Turn on SAML authentication for your domain.

Enforce SSO

When enabled, password login will be disabled for users with your email domain. Users must authenticate via your identity provider.

Just-in-Time (JIT) Provisioning

Enable Automatic Account Creation

• Enabled: New users logging in via SSO will automatically get accounts created
• Disabled: Only existing users can log in via SSO. New users must be manually added first.

When JIT provisioning is enabled, you can configure:

Default Role for New SSO Users

• Administrator
• Standard User
• Viewer
• Member

Default Workspaces

• Leave empty to assign all workspaces
• Select specific workspaces to limit access

Auto-Create Personal Workspace

• When enabled, each new SSO user gets a personal workspace
• Note: Your account has a workspace limit based on your subscription
• If the limit is reached, no personal workspaces will be created

Workspace Limits

Personal workspace creation depends on your subscription plan:

If you enable "Auto-Create Personal Workspace" and have reached your limit, new SSO users will be assigned to default workspaces instead of creating personal workspaces.

SSO Login Flow

Once configured, users with your email domain will:

1. Go to PageCrawl login page
2. Enter their email address
3. Be redirected to your identity provider
4. Authenticate with their corporate credentials
5. Be redirected back to PageCrawl and logged in automatically

If JIT provisioning is enabled and they're a new user, an account will be created automatically with the configured role and workspace assignments.

Troubleshooting Common Issues

"Team has reached member limit"

Error: "Unable to provision SSO user: Team has reached its member limit."

Solution:

• Check your subscription plan in Settings → Team → Subscription
• Either upgrade to a plan with more seats or remove inactive members
• Once you have available seats, the user can try logging in again

"Automatic account creation is disabled"

Error: "Automatic account creation is disabled. Please ask your team administrator to enable JIT provisioning."

Solution:

• Enable "Enable Automatic Account Creation" in Settings → Team → Single Sign-On (SSO)
• Or manually add the user in Settings → Team → Members before they log in

User Not Assigned in Identity Provider

Symptoms: User gets error after authenticating at IdP.

Solution:

• Azure AD: Go to Enterprise Applications → PageCrawl → Users and groups → Add user/group
• Google Workspace: Admin Console → PageCrawl app → User access → Enable for user's org unit
• Okta: Applications → PageCrawl → Assignments → Assign to People

Certificate Expired or Invalid

Symptoms: "Invalid signature" or authentication fails at final step.

Solution:

1. In PageCrawl SSO settings, update the metadata:
   • Click Parse Metadata from URL to refresh, or
   • Download fresh XML from IdP and paste it, then click Parse Metadata XML
2. Most IdPs rotate certificates every 1-3 years

Metadata Import Errors

Common Issues:

• EntitiesDescriptor Format: PageCrawl requires EntityDescriptor format, not EntitiesDescriptor
• Invalid XML: Ensure you copied the entire XML including <?xml declaration
• URL Not Accessible: Ensure metadata URL is publicly accessible

Personal Workspace Not Created

Cause: Team has reached workspace limit for subscription plan.

Solution:

• Delete unused workspaces in Settings → Team → Workspaces
• Or upgrade to a plan with more workspaces
• New users will still be assigned to default workspaces

Testing Your SSO Configuration

1. Use Incognito/Private Window to test fresh user experience
2. Test with Assigned User who has access in your IdP
3. Verify Each Step:
   • Enter email at PageCrawl login
   • Verify redirect to IdP
   • Authenticate at IdP
   • Verify redirect back to PageCrawl
   • Confirm successful login
4. Test Different Scenarios:
   • New user (if JIT enabled)
   • Existing user
   • User with wrong domain (should fail correctly)

Security Best Practices

• Monitor certificate expiration dates and update before they expire
• Only assign necessary users in your IdP
• Set appropriate default role (usually "Member" or "Viewer")
• Enable "Enforce SSO" only after thorough testing with all users
• Review authentication logs regularly in Settings → Team → Security

Frequently Asked Questions

Q: Can I have multiple identity providers? A: No, PageCrawl supports one identity provider per team.

Q: What happens to existing users when I enable SSO? A: Existing users can continue using password login unless you enable "Enforce SSO". With JIT provisioning enabled, their accounts will be automatically linked to SSO on first SSO login.

Q: Can I disable SSO after enabling it? A: Yes, you can disable SSO anytime in the settings. Users will revert to password-based login.

Q: What if my IdP certificate expires? A: Users won't be able to log in until you update the certificate. Update metadata in PageCrawl SSO settings as soon as your IdP rotates certificates.

Q: Why can't I use Gmail or other free email providers? A: SSO requires corporate email domains for security. Free email providers don't provide the organizational control needed for enterprise SSO.

Q: How do I migrate all users to SSO? A: Enable SSO with JIT provisioning first. Test with a few users. Once confirmed working, enable "Enforce SSO" to require all users to use SSO.

Q: What happens if we reach our member or workspace limit? A: New SSO users won't be able to log in if member limit is reached. If workspace limit is reached, personal workspaces won't be created, but users will still be assigned to default workspaces.

Support

For assistance with SSO configuration or to request early access, contact support@pagecrawl.io.