Papermark
Help CenterHow to set up SAML SSO and SCIM provisioning in Papermark?

How to set up SAML SSO and SCIM provisioning in Papermark?

For enterprise teams, the password your employees use to log into Papermark should be the same one they use everywhere else. Papermark supports SAML 2.0 single sign-on (SSO) and SCIM directory sync, so you can connect your identity provider, enforce SSO for all users, and automatically provision or deprovision accounts when employees join or leave.

SAML SSO and SCIM are available on the Enterprise plan. Contact support@papermark.com to enable them for your workspace.

What you get

FeatureWhat it does
SAML 2.0 SSOUsers log into Papermark with their corporate identity provider
SCIM directory syncNew users are provisioned automatically, leavers are deprovisioned
SSO enforcementBlock password and Google logins so SSO is the only way in
Pre-built provider presetsOne-click setup for Okta, Azure AD, Google Workspace, OneLogin, and more
Just-in-time provisioningUsers are created on first SSO login if SCIM is not used

Supported identity providers

Papermark works with any SAML 2.0-compliant identity provider. We provide pre-built presets for:

  • Okta
  • Microsoft Entra ID (Azure AD)
  • Google Workspace
  • OneLogin
  • JumpCloud
  • Auth0
  • Custom SAML providers

For SCIM provisioning, the same providers are supported through the SCIM 2.0 standard.

Step-by-step: enable SAML SSO

Step 1: Open SSO settings in Papermark

  1. Log into Papermark as a workspace owner.
  2. Go to Settings, then Security, then SSO.
  3. Click Configure SAML SSO.

Step 2: Pick your identity provider

Choose your provider from the list of presets. Papermark shows you the exact metadata Papermark needs (Entity ID, ACS URL, audience URI) so you can paste them into your identity provider.

Step 3: Configure the application in your identity provider

In your identity provider:

  1. Create a new SAML application called "Papermark".
  2. Paste the Papermark Entity ID, ACS URL, and audience URI from the previous step.
  3. Map the following attributes:
    • email to the user's email address
    • firstName to the user's first name
    • lastName to the user's last name
  4. Download the identity provider metadata XML or copy the IdP entity ID, single sign-on URL, and X.509 certificate.

Step 4: Paste the IdP details back into Papermark

  1. Upload the metadata XML or paste the individual fields into Papermark.
  2. Click Save.
  3. Click Test SSO connection to verify the round trip works.

Once the test succeeds, SSO is live for your workspace. Users on email addresses matching your verified domain can now log in through your identity provider.

Step-by-step: enable SCIM directory sync

Step 1: Generate the SCIM endpoint and token

  1. In Papermark, go to Settings, then Security, then SCIM.
  2. Click Enable SCIM.
  3. Copy the SCIM base URL and bearer token shown on the screen.

Step 2: Configure SCIM in your identity provider

  1. In your identity provider's Papermark application, enable provisioning.
  2. Paste the SCIM base URL as the tenant URL.
  3. Paste the bearer token as the secret token.
  4. Enable the following operations:
    • Create users
    • Update user attributes
    • Deactivate users
  5. Map your group or role attribute to Papermark's role mapping (admin, member, viewer).

Step 3: Test provisioning

  1. Assign a test user to the Papermark application in your identity provider.
  2. Confirm the user appears in Papermark's Team settings within a few minutes.
  3. Remove the user and confirm they're deactivated automatically.

Once provisioning works for the test user, you can assign the Papermark app to all relevant users and groups in your identity provider.

Enforce SSO for all users

After SAML SSO is verified, you can enforce SSO so password and Google logins are blocked for your domain:

  1. In Settings, Security, SSO, toggle Enforce SSO.
  2. Confirm the change. Any active sessions outside SSO will be invalidated.

Workspace owners can still log in through a recovery flow if SSO is misconfigured, so you're never locked out of your workspace.

Use cases

  • IT compliance: enforce identity provider authentication for every employee accessing Papermark.
  • Offboarding: deactivate departed employees in your identity provider and SCIM removes them from Papermark automatically.
  • New hire onboarding: assign the Papermark app to a new hire's group and they're provisioned with the right role on day one.
  • Audit readiness: every login goes through your identity provider, so all access logs live in one place.

Frequently asked questions

Related guides

Need help? Contact support@papermark.com or use the in-app chat.

Did not find an answer? ✉️support@papermark.com

More helpful articles

AllDocumentsLinks PermissionsCustom domains & brandingAccount & TeamDocument analyticsFoldersData Rooms (VDR)SecuritySelf-HostingNotion DocumentsVideos