Settings

Security Settings

Configure Enterprise SSO (SAML 2.0) for your organisation

Security settings are only available on the Enterprise plan.

Security settings — Enterprise SSO

Enterprise SSO (SAML 2.0)

Configure Single Sign-On for your organisation using SAML 2.0. This allows your team to authenticate through your Identity Provider (Okta, Azure AD, Google Workspace, OneLogin, Auth0, PingFederate, etc.).

How It Works

  1. User clicks Sign in with SSO or enters an email with a configured SSO domain
  2. Wexio redirects the user to your Identity Provider
  3. The user authenticates with your IdP
  4. The IdP sends a SAML response back to Wexio
  5. Wexio validates the response, creates or links the user, and starts a session

Basic Settings

FieldDescription
Display NameA friendly name for this SSO configuration (e.g. "Company Okta SSO")
Email DomainsComma-separated list of email domains (e.g. company.com, company.co.uk). Users with these email domains will be prompted to use SSO

Identity Provider Settings

FieldDescription
IdP Entity ID (Issuer)Your Identity Provider's entity identifier URL
IdP SSO URL (Login URL)The SAML login endpoint of your IdP
IdP SLO URL (Optional - Single Logout)The SAML logout endpoint for single logout support
IdP X.509 Certificate (PEM format)The public certificate from your IdP used to verify SAML response signatures

Advanced Settings

SettingDescription
Require all users to authenticate via SSOWhen enabled, all organisation members must log in through SSO. Password and social logins are disabled
Allow account linkingExisting users can link their accounts to SSO
Auto-create usersCreate new users automatically on first SSO login
Default roleThe role assigned to auto-created users (e.g. Member)

Setup Steps

  1. Go to Settings → Security
  2. Fill in the Basic Settings — display name and email domains
  3. Enter your Identity Provider Settings — Entity ID, SSO URL, SLO URL, and X.509 certificate from your IdP
  4. Configure Advanced Settings as needed
  5. Save

Identity Provider Setup Guides

When configuring your IdP, you'll need to provide these Service Provider (SP) values from Wexio:

SP FieldValue
ACS URL (Reply URL)https://app.wexio.io/auth/sso/{your-org-slug}/callback
Entity ID (Audience URI)https://app.wexio.io/auth/sso/{your-org-slug}/metadata
Name ID formatEmailAddress

Replace {your-org-slug} with your organisation's slug (visible in your Wexio URL).

You'll also need to configure Attribute Statements in your IdP so Wexio receives the correct user data:

Attribute nameValue
emailUser's email address
firstNameUser's first name
lastNameUser's last name

Troubleshooting

If you downgrade from Enterprise, SSO is automatically disabled and team members revert to standard authentication.

Account Security

Personal 2FA, passkeys, and session management

Plan & Billing

Enterprise plan required for SSO

Team Management

Invite members and manage roles

Inbox Settings

Configure AI behaviour, media processing, and spam protection for your inbox

On this page

Enterprise SSO (SAML 2.0)How It WorksBasic SettingsIdentity Provider SettingsAdvanced SettingsSetup StepsIdentity Provider Setup Guides1. Create a SAML app in Okta2. Configure SAML settings in Okta3. Copy IdP values from Okta4. Enter values in Wexio5. Assign users in Okta1. Register an Enterprise Application2. Configure Single Sign-On3. Download certificate and copy values4. Enter values in Wexio1. Create a custom SAML app2. Copy IdP values3. Configure Service Provider details4. Enter values in WexioTroubleshootingRelated