Everhour supports SAML 2.0-based Single Sign-on, letting your team log in with their existing company credentials managed by your identity provider. This is ideal for organizations using identity providers such as Google Workspace, Okta, Azure Active Directory, OneLogin, LastPass, or any other SAML 2.0-compliant system. SSO is a feature typically valued by larger organizations and enterprise accounts where IT security policies require centralized authentication management.
With SSO enabled, team members no longer need a separate Everhour password — they authenticate through your company's identity provider and land directly in Everhour after a single sign-in step, just like they would with any other SSO-enabled tool in your stack.
What's covered in this video
SAML SSO works by establishing a trust relationship between Everhour (the service provider) and your identity provider. When a user attempts to log in to Everhour, instead of presenting a password form, Everhour redirects them to your identity provider's login page. The identity provider authenticates the user — checking their credentials and any multi-factor authentication requirements your IT team has configured — and then sends a signed SAML assertion back to Everhour confirming the user's identity. Everhour accepts this assertion and grants access, all in a matter of seconds. Because authentication is handled by your identity provider, password policies, MFA requirements, and session management are all enforced at the source rather than needing to be configured separately in Everhour.
Setting up SAML SSO in Everhour is done through Settings, under the Security section. The setup process involves copying the SAML metadata URL or XML from your identity provider and pasting it into Everhour's SSO configuration field. Everhour then reads the metadata to understand how to communicate with your IdP, including the SSO endpoint URL and the certificate used to verify signed assertions. Before enabling SSO for the entire workspace, you can test the connection using your own admin account to confirm the authentication flow works correctly. Once confirmed, you can optionally enforce SSO for all workspace members — meaning that password-based login is disabled and all members must authenticate through the identity provider.
When SSO is active and a new team member is invited to Everhour, the invitation email still goes out as normal. However, when the new member clicks the invitation link, instead of creating a password they are redirected to the identity provider login. If they already have an account in your IdP — which they typically will for any company employee — they log in with those credentials and their Everhour account is provisioned automatically on first login. This just-in-time provisioning means you don't need to manually create Everhour accounts before sending invitations, reducing administrative overhead significantly in organizations with frequent team changes.
Key features shown
Everhour's SAML SSO feature provides enterprise-grade authentication without requiring complex setup. Support for any SAML 2.0-compliant identity provider means you can connect Everhour to whichever IdP your organization already uses — there's no requirement to switch providers or use a specific vendor. Automatic user provisioning on first login eliminates manual account creation for new team members. The optional SSO enforcement mode ensures that once SSO is configured, no one can bypass it with a simple password, strengthening your organization's overall security posture. SSO is available on Everhour's Team plan and above, reflecting its nature as a feature designed for medium to large organizations with established IT security requirements.
