Why use SSO?
One login for everything, your team signs in with the same credentials they use for all other company apps, no separate Juicer password needed.
Stronger security, authentication policies (MFA, conditional access, session timeouts) enforced at your identity provider automatically apply to Juicer.
Easy onboarding, new team members are added to your Juicer account automatically on their first sign-in, no manual invite required.
Simplified offboarding, deactivate a user in your identity provider and they immediately lose access to Juicer.
Optional enforcement, you can require SSO for all users, removing the email and password login option entirely.
Setting up SSO
Prerequisites
Before you start, make sure you have:
A Juicer Enterprise plan.
Owner or Manager role in Juicer.
Admin access to a SAML 2.0-compliant identity provider (Okta, Microsoft Entra ID, Google Workspace, OneLogin, or any other SAML 2.0 IdP).
⚠️ SSO needs to be enabled on your account before you can configure it. If you don't see the SSO option in your profile menu or the configuration form at juicer.io/sso_config, reach out to our support team and we'll enable it for you.
Step 1, get your Juicer Service Provider details
Go directly to juicer.io/sso_config or open your profile menu (top-right) and select SSO.
You'll see your Juicer SP details. Copy these two values from the Juicer setup page, you'll need them in your identity provider, the Single Sign-On URL (ACS URL) and the Audience URI (SP Entity ID).
Field | Value |
Single Sign-On URL (ACS URL) | |
Audience URI (SP Entity ID) | |
Name ID Format | EmailAddress |
Application Username |
Step 2, configure your Identity Provider
Choose your IdP below. If yours isn't listed, follow the generic SAML 2.0 instructions in the Other SAML 2.0 providers section further down.
Okta
In the Okta admin console, go to Applications → Create App Integration → SAML 2.0.
Give the app a name (for example, "Juicer") and click Next.
Under SAML Settings:
Single sign-on URL, paste the ACS URL from Step 1.
Audience URI (SP Entity ID), paste the Audience URI from Step 1.
Make sure you paste your account-specific link, not the one used here as an example.
Name ID format, EmailAddress.
Application username, Email.
Click through to finish creating the app.
Open the app's Sign On tab and expand the More details section.
On Okta, copy the Issuer and paste this on Juicer as your IdP Entity ID.
On Okta, copy the Sign On URL and paste this on Juicer as your IdP SSO URL.
Under Signing Certificates, download the active certificate.
⚠️ Copying it and pasting it on Juicer will not work.
Open the downloaded
okta.certfile in a text editor and copy its content.
Paste the copied certificate code into the IdP Certificate (PEM) field on Juicer.
Enter your domain(s) into the Email Domains (comma-separated) field on Juicer.
Click Save Configuration.
Go to the Assignments tab and assign the users or groups who should access Juicer.
Skip to Step 4 below.
Microsoft Entra ID (Azure AD)
In the Azure portal, go to Microsoft Entra ID → Enterprise applications → New application.
Click Create your own application, choose "Integrate any other application you don't find in the gallery", and name it (for example, "Juicer").
Go to Single sign-on → SAML.
Under Basic SAML Configuration:
Identifier (Entity ID), paste the Audience URI from Step 1.
Reply URL (Assertion Consumer Service URL), paste the ACS URL from Step 1.
Under Attributes & Claims, confirm the unique identifier claim uses
user.mail.Under SAML Signing Certificate, download Certificate (Base64).
From the same screen:
Copy Login URL, this is your IdP SSO URL.
Copy Microsoft Entra Identifier, this is your IdP Entity ID.
Go to Users and groups and assign who should have access.
Google Workspace
In the Google Admin Console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.
Name the app (for example, "Juicer") and click Continue.
On the Google Identity Provider details screen:
Download the Certificate.
Copy the SSO URL, this is your IdP SSO URL.
Copy the Entity ID, this is your IdP Entity ID.
Click Continue.
On the Service provider details screen:
ACS URL, paste the ACS URL from Step 1.
Entity ID, paste the Audience URI from Step 1.
Name ID format, EMAIL.
Name ID, Basic Information → Primary email.
Click Continue, skip attribute mapping, and finish.
Go to User access and enable the app for the relevant organizational units or groups.
OneLogin
In the OneLogin admin console, go to Applications → Add App.
Search for SAML Custom Connector (Advanced) and select it.
Name the app (for example, "Juicer") and save.
Open the Configuration tab:
ACS (Consumer) URL, paste the ACS URL from Step 1.
Audience (EntityID), paste the Audience URI from Step 1.
ACS (Consumer) URL Validator, enter the ACS URL again.
Name ID format, Email.
Open the SSO tab:
Download the X.509 Certificate.
Copy the Issuer URL, this is your IdP Entity ID.
Copy the SAML 2.0 Endpoint (HTTP), this is your IdP SSO URL.
Go to Users and assign the relevant users.
Other SAML 2.0 providers
Any SAML 2.0-compliant identity provider works with Juicer. You'll need to:
Create a new SAML application in your IdP.
Set the ACS URL (also called Reply URL, Consumer URL, or Callback URL) to the value from Step 1.
Set the SP Entity ID (also called Audience URI or Identifier) to the value from Step 1.
Set the Name ID attribute to the user's email address (format, EmailAddress).
Download the signing certificate in PEM or Base64 format.
Note the IdP Entity ID and SSO endpoint URL, you'll enter these in Juicer.
Step 3, confirm your IdP details in Juicer
Back in Juicer, fill in the configuration form:
Field | What to enter |
Display Name | A label to identify this connection (for example, "Okta", "Azure AD"). |
IdP Entity ID | The entity ID or issuer from your identity provider. |
IdP SSO URL | The SSO endpoint URL from your identity provider. |
IdP Certificate | The full certificate text, including the |
Email Domains | Comma-separated list of email domains that should use SSO (for example, |
Click Save Configuration.
⚡️ Users who followed the Okta setup have already finished Step 3 above.
Step 4, enable SSO
After saving, click Enable SSO. The status changes to Active (green label).
Step 5, assign users in your IdP
Make sure the users who need access to Juicer are assigned to the SAML application in your identity provider. (Okta users already did this in step 13 of their setup.)
⚠️ Users who sign in for the first time via SSO are automatically added to your Juicer account as Managers.
Logging in with SSO
Your team can sign in two ways:
Email discovery, go to juicer.io/sso/login, enter their work email, and Juicer redirects them to your IdP automatically.
Direct link, share
https://juicer.io/sso/login?account=YOUR-ACCOUNT-SLUG(this is a placeholder, share the actual link from your Juicer SSO page), and users are taken straight to your IdP. Useful for bookmarks or Slack pinning.
Enforce SSO (optional)
Once SSO is working correctly, you can require it for everyone on your account:
On the SSO configuration page, click Enforce SSO.
From this point, password-based login and password reset are disabled for all users in your account. Everyone must authenticate through your identity provider.
⚠️ Before enabling Enforce SSO, verify that all team members can successfully sign in via SSO. Once enforced, there is no password fallback for regular users.
Limitations
One identity provider per account, you cannot connect multiple IdPs simultaneously.
SP-initiated login only, users must start the sign-in flow from Juicer (not from an IdP app tile or dashboard).
No Single Logout (SLO), signing out of Juicer does not sign out of your identity provider session.
Just-in-Time provisioning only, users are created in Juicer on first sign-in, there is no SCIM directory sync.
If SSO sign-in fails for a user, or you can't get past the configuration save step, contact us with the IdP you're using, the email of the user hitting the issue, and a screenshot of the error message, and we'll take a look.