Skip to content →

SAML

Customers can opt to enable SAML for their workspace to manage logins through an Identity Provider.

Available to workspaces on our Enterprise plan
Login screen on the Linear desktop app

Overview

We currently support most identity providers (Okta, OneLogin, LastPass, Auth0, Bitum, etc.).

Once SAML is enabled, all members in your workspace will be required to login via SAML by default, thus, disabling any other login method type. User sessions won't be logged out or notified at the time of enabling, but the next time they sign in they will have to use SAML to regain access.

Members can login via your identity provider's website or by clicking the option to Continue with SAML SSO on the login page.

Guests are an exception, who will be able to sign in by selecting Continue via email.

Admins can log in through any method to prevent lockouts.

Configure

  1. Navigate to Settings > Administration > Security.
  2. Under the "Authentication" section, click Configure next to "SAML & SCIM".
  3. Click the toggle next to Enable SAML.
  4. You can paste in an XML URL or the raw XML text to connect with your identity provider. If you're not sure where to find this in your identity provider, take a look at their documentation or reach out to us for help.

If you want to add our logo in your Identity Provider, our Brand Assets are available for download here.

Domain rules

Allowed domains

Once you have added this information, you can add approved domains for logging in with SAML. You will need to provide an email for our verification process when adding a new domain.

Other auth methods for other domains

You can choose to allow non-SAML logins only for other email domains (ideal for contractors or guests).

Disable new workspace creation

Once SAML is enabled, you have the option to prevent non-admins from creating new Linear workspaces with their email credential from the domain you claimed during setup. This can be useful to make sure all work is consolidated in a single Linear workspace.

FAQ

If SAML is enabled for your workspace, you must login via your SAML service's website or by selecting the SAML login option on the Linear login page (it's a bit small and in gray letters, right under the other options).

If you're getting an error about the workspace not being accessible and it is your first time logging into Linear with SAML, please try logging out of the SAML provider and then logging in.

If you get repeated errors, then please contact support.

For SAML-enabled Workspaces, make sure that members are given access in your identity provider(IdP). New members will be automatically provisioned using Just-In-Time (JIT) provisioning and an account will be created for them so long as they have access through your IdP.
Existing Linear members that have the correct IdP permissions can simply sign in using the SAML SSO option.

We support enabling SCIM 2.0 for you on the Enterprise plan if you have SAML enabled. More details here.

Guests must be invited over email to make sure they're permissioned appropriately. In order to invite them, enable the toggle pictured and then choose "Invite" in Settings > Workspace > Members.

Security > Allow other authentication methods for all additional email domains > On
Previous

Security

Next

SCIM