How to Set up SSO (Single Sign-On)

Overview

AfterShip supports SAML 2.0-based Single Sign-On (SSO) integration. This allows organizations to connect their existing Identity Providers (IdPs) such as Microsoft Entra ID (Azure AD), Okta, or any other SAML-compatible system with AfterShip. Team members can securely access AfterShip using their existing company credentials, without needing separate passwords. This ensures centralized authentication, consistent security policies, and simplified user management. Moreover, this makes onboarding easier for new members.

How to set up SAML SSO?

The setup process currently requires support from the AfterShip Accounts team to complete configurations at the backend.

Create a new SAML application for AfterShip, following the identity service provider's guide.
Share IdP metadata with the AfterShip Accounts team to complete configuration.
Wait for the backend setup confirmation from the AfterShip team.
Verify the login flow once you receive your organization’s unique SSO login URL.
Go live.

Microsoft Entra ID

If your organization uses Microsoft Entra ID (Azure AD):

Setup can be completed automatically using Microsoft’s documentation: Configure AfterShip for Single sign-on with Microsoft Entra ID
Provide the IdP metadata (URL or XML file) to the AfterShip team.
Confirm the correct <CustomerName> used in the SAML endpoint before deployment.

Other Identity Providers (Manual Setup)

For manual configuration, use the following SAML settings:

Parameter	Values	Alternative names
Single sign-on URL	https://accounts.aftership.com/auth/realms/business/broker/<CustomerName>/endpoint	Reply URL / ACS URL / Recipient URL
Audience URI	https://accounts.aftership.com/auth/realms/business	Entity ID / Service Provider Entity ID / Identifier / Audience
Name ID format	`Email`
Attribute Statements	`First name`, `Last name`

After entering these details, share your IdP metadata (URL or XML) with the AfterShip team.
AfterShip uses <CustomerName> as a placeholder in the SAML endpoint URL format. Verify <CustomerName> with the backend team before deployment.

Log in to AfterShip via SSO

At this time, IdP-initiated login is not supported. So, users should log in through the following URL instead:

https://admin.aftership.com/?idp_hint=<CustomerName>

Configure SAML SSO

Please contact the AfterShip Accounts team to enable or modify the following configurations.

Enforce SSO by Domain

When this option is enabled, all users with the same email domain (for example, @company.com) must log in to AfterShip using SAML SSO. Standard password-based logins and third-party SSO options (such as Google SSO) will be disabled.

This ensures that every team member signs in through your company’s secure authentication system, maintaining consistent security policies across the organization.

Auto-join organization (just-in-time provisioning)

When this feature is enabled, new users who log in to AfterShip via SSO for the first time are automatically added to your organization. They are assigned a default role, which can be predefined during the setup process.

Advanced role mapping based on the user’s profile or group information from the Identity Provider (IdP) is not supported yet.

Conclusion

SSO integration with AfterShip enables enterprise teams to access their accounts through their existing company identity system securely. Setup requires coordination with the AfterShip Accounts (Backend) team for initial configuration and verification.

FAQs

1. Can users still log in with passwords after SSO is enabled?

It depends on how SSO is configured.

If SSO is enabled but not enforced, users can continue logging in with their email and password or other SSO options, such as Google.
If SSO is enforced, all users under the same email domain must log in through the organization’s SAML SSO. Other login options will be disabled.

2. Can I use Google Workspace as an SSO provider for AfterShip?

Yes. AfterShip supports Google Social Login, allowing users to sign in directly using their Google Workspace accounts.

3. What is “Just-In-Time provisioning” and how does it work in AfterShip?

Just-In-Time (JIT) provisioning means that when a user logs in through SSO for the first time, they are automatically added to your AfterShip organization. It requires no manual invitation. Currently, JIT assigns users a default role, which can be defined during setup.

Advanced role mapping based on user attributes from your IdP is not yet supported.

4. Can I configure SSO by myself?

Not yet. SSO setup currently requires assistance from the AfterShip Accounts team to exchange metadata and verify endpoint values.

5. Which subscription plans include SAML SSO?

SAML SSO is available for organizations on the Enterprise plan.

Updated on: 12/11/2025