Skip to main content

Setting up SSO on Juicer

Juicer supports Single sign-on (SSO SAML 2.0)—here is how to set it up

Written by Mario T.
Updated today

Why use SSO?

  • One login for everything—your team signs in with the same credentials they use for all other company apps; no separate Juicer password needed

  • Stronger security—authentication policies (MFA, conditional access, session timeouts) enforced at your identity provider automatically apply to Juicer

  • Easy onboarding—new team members are added to your Juicer account automatically on their first sign-in; no manual invite required

  • Simplified offboarding—deactivate a user in your identity provider, and they immediately lose access to Juicer

  • Optional enforcement—you can require SSO for all users, removing the email/password login option entirely

Setting up SSO

Prerequisites

Before you start, make sure you have:

  • A Juicer Enterprise plan

  • Owner or Manager role in Juicer

  • Admin access to a SAML 2.0-compliant identity provider (Okta, Microsoft Entra ID, Google Workspace, OneLogin, or any other SAML 2.0 IdP)

Step 1—Get your Juicer Service Provider details

  1. Go directly to juicer.io/sso_config or open your profile menu (top-right) and select SSO

  2. You'll see your Juicer SP details—copy those two values—Single Sign-On URL (ACS URL) and Audience URI (SP Entity ID) from the Juicer setup page; you'll need them in your identity provider:

Field

Value

Single Sign-On URL (ACS URL)

https://juicer.io/auth/saml/callback

Audience URI (SP Entity ID)

https://juicer.io/auth/saml/metadata/YOUR-ACCOUNT-SLUG

Name ID Format

EmailAddress

Application Username

Email

Step 2—Configure your Identity Provider

Choose your IdP below. If yours isn't listed, follow the generic SAML 2.0 instructions.

Okta

  1. In the Okta admin console, go to Applications → Create App Integration → SAML 2.0

  2. Give the app a name (e.g., "Juicer") and click Next

  3. Under SAML Settings:

    1. Single sign-on URL: paste the ACS URL from Step 1

    2. Audience URI (SP Entity ID): paste the Audience URI from Step 1

      1. Make sure you paste your account-specific link, not the one used here as an example

    3. Name ID format: EmailAddress

    4. Application username: Email

  4. Click through to finish creating the app

  5. Open the app's Sign On tab and expand the More details section

  6. On Okta, copy the Issuer—paste this on Juicer as your IdP Entity ID

  7. On Okta, copy the Sign On URL—paste this on Juicer as your IdP SSO URL

  8. Under Signing Certificates, download the active certificate

    • ⚠️ Copying it and pasting it on Juicer will not work

  9. Open the downloaded okta.cert file in a text editor and copy its content

  10. Paste the copied certificate code into IdP Certificate (PEM) field on Juicer

  11. Enter your domain(s) into the Email Domains (comma-separated) field on Juicer

  12. Click Save Configuration

  13. Go to the Assignments tab and assign the users or groups who should access Juicer

  14. You can go to Step 4 of this tutorial.

Microsoft Entra ID (Azure AD)

  1. In the Azure portal, go to Microsoft Entra ID → Enterprise applications → New application

  2. Click Create your own application, choose "Integrate any other application you don't find in the gallery", and name it (e.g., "Juicer")

  3. Go to Single sign-on → SAML

  4. Under Basic SAML Configuration:

    • Identifier (Entity ID): paste the Audience URI from Step 1

    • Reply URL (Assertion Consumer Service URL): paste the ACS URL from Step 1

  5. Under Attributes & Claims, confirm the unique identifier claim uses user.mail

  6. Under SAML Signing Certificate, download Certificate (Base64)

  7. From the same screen:

    • Copy Login URL—this is your IdP SSO URL

    • Copy Microsoft Entra Identifier—this is your IdP Entity ID

  8. Go to Users and groups and assign who should have access

Google Workspace

  1. In the Google Admin Console, go to Apps → Web and mobile apps → Add app → Add custom SAML app

  2. Name the app (e.g., "Juicer") and click Continue

  3. On the Google Identity Provider details screen:

    • Download the Certificate

    • Copy the SSO URL—this is your IdP SSO URL

    • Copy the Entity ID—this is your IdP Entity ID

    • Click Continue

  4. On the Service provider details screen:

    • ACS URL: paste the ACS URL from Step 1

    • Entity ID: paste the Audience URI from Step 1

    • Name ID format: EMAIL

    • Name ID: Basic Information → Primary email

  5. Click Continue, skip attribute mapping, and finish

  6. Go to User access and enable the app for the relevant organizational units or groups

OneLogin

  1. In the OneLogin admin console, go to Applications → Add App

  2. Search for SAML Custom Connector (Advanced) and select it

  3. Name the app (e.g., "Juicer") and save

  4. Open the Configuration tab:

    • ACS (Consumer) URL: paste the ACS URL from Step 1

    • Audience (EntityID): paste the Audience URI from Step 1

    • ACS (Consumer) URL Validator: enter the ACS URL again

    • Name ID format: Email

  5. Open the SSO tab:

    • Download the X.509 Certificate

    • Copy the Issuer URL—this is your IdP Entity ID

    • Copy the SAML 2.0 Endpoint (HTTP)—this is your IdP SSO URL

  6. Go to Users and assign the relevant users

Other SAML 2.0 providers

Any SAML 2.0-compliant identity provider works with Juicer. You'll need to:

  1. Create a new SAML application in your IdP

  2. Set the ACS URL (also called Reply URL, Consumer URL, or Callback URL) to the value from Step 1

  3. Set the SP Entity ID (also called Audience URI or Identifier) to the value from Step 1

  4. Set the Name ID attribute to the user's email address (format: EmailAddress)

  5. Download the signing certificate in PEM or Base64 format

  6. Note the IdP Entity ID and SSO endpoint URL—you'll enter these in Juicer

Step 3—Let's confirm details of your IdP details in Juicer

Back in Juicer, fill in the configuration form:

Field

What to enter

Display Name

A label to identify this connection (e.g., "Okta", "Azure AD")

IdP Entity ID

The entity ID / issuer from your identity provider

IdP SSO URL

The SSO endpoint URL from your identity provider

IdP Certificate

The full certificate text, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines

Email Domains

Comma-separated list of email domains that should use SSO (e.g., company.com, subsidiary.com)

Click Save Configuration.

⚡️ Users who followed the Okta setup have already finished Step 3 above.

Step 4—Enable SSO

After saving, click Enable SSO. The status changes to Active (green badge).

Step 5—Assign users in your IdP

  • Make sure the users who need access to Juicer are assigned to the SAML application in your identity provider. (Okta users already did this in step 13 of their setup)

⚠️ Users who sign in for the first time via SSO are automatically added to your Juicer account as Managers.

Logging in with SSO

Your team can sign in two ways:

  1. Email discovery—go to juicer.io/sso/login, enter their work email, and Juicer redirects them to your IdP automatically

  2. Direct link — share https://juicer.io/sso/login?account=YOUR-ACCOUNT-SLUG (this is a dummy link, please share the link from your Juicer SSO page), and users are taken straight to your IdP (useful for bookmarks or Slack pinning)

Enforce SSO (optional)

Once SSO is working correctly, you can require it for everyone on your account:

  1. On the SSO configuration page, click Enforce SSO

  2. From this point, password-based login and password reset are disabled for all users in your account—everyone must authenticate through your identity provider

⚠️ Before enabling Enforce SSO, verify that all team members can successfully sign in via SSO. Once enforced, there is no password fallback for regular users.

Limitations

  • One identity provider per account—you cannot connect multiple IdPs simultaneously

  • SP-initiated login only—users must start the sign-in flow from Juicer (not from an IdP app tile/dashboard)

  • No Single Logout (SLO)—signing out of Juicer does not sign out of your identity provider session

  • Just-in-Time provisioning only—users are created in Juicer on first sign-in; there is no SCIM directory sync

Did this answer your question?