Skip to main content
If your organization uses a SAML-based identity provider (e.g., Azure AD via SAML, ADFS, Ping Identity, OneLogin, or another SAML 2.0-compliant IdP), you can configure SSO for Devin Enterprise using generic SAML.
This guide is for customers who want to use SAML instead of the native Azure AD (OIDC) or Okta (OIDC) integrations. We generally recommend using the native OIDC integration when possible, but there are certain situations in which SAML SSO is preferred instead.

What You’ll Need

The following information is required to set up SAML SSO for Devin. You will collect these during the setup steps below and send them to your Cognition account team in the final step.
  • Sign In URL - Your IdP’s SAML SSO endpoint (e.g., https://idp.example.com/sso/saml)
  • X509 Signing Certificate - The public certificate your IdP uses to sign SAML assertions
  • Identity Provider Domains - All company email domains that will authenticate through this IdP (e.g., example.com, subsidiary.example.com)
  • Group Attribute Name (if using IdP groups) - The SAML attribute name your IdP uses to send group memberships

Setup Instructions

Step 1: Create a SAML Application in Your IdP

In your identity provider’s admin console, create a new SAML 2.0 application with the following settings:
SettingValue
ACS (Assertion Consumer Service) URLhttps://auth.devin.ai/login/callback
Entity ID / Audience URILeave blank initially — see Step 5
Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (recommended) or persistent
Name ID ValueUser’s email address
Signature AlgorithmRSA-SHA256
Digest AlgorithmSHA256
Response BindingHTTP-POST

Step 2: Configure SAML Attributes

Ensure your IdP sends the following attributes in the SAML assertion:
SAML AttributeDescriptionRequired
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierUnique user identifier (typically the user’s email address)Yes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUser’s email addressYes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUser’s display nameRecommended
Devin uses the nameidentifier attribute to identify users. Most IdPs populate this automatically from the SAML Name ID value. If your IdP does not send nameidentifier as a separate attribute, ensure the Name ID Value in Step 1 is set to the user’s email address.

Step 3: Configure Group Assertions (Required for IdP Groups)

If you want to use IdP Group Integration for role-based access control in Devin, you must configure your IdP to send group membership in the SAML assertion. Without this, users will authenticate successfully but IdP groups will not be synced.
To enable IdP group syncing, configure a group attribute in your SAML application:
SAML AttributeValue
Attribute Namehttp://schemas.xmlsoap.org/claims/Group
Attribute ValueUser’s group memberships
The exact attribute name may vary depending on your IdP. Common attribute names for groups include:
  • http://schemas.xmlsoap.org/claims/Group
  • http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
  • groups
  • memberOf
Share the exact attribute name you configure with your Cognition account team so we can map it correctly on our side.

Azure AD (Entra ID) with SAML

If you are using Azure AD with SAML instead of the native OIDC integration:
  1. In the Azure portal, go to Enterprise Applications > your SAML app > Single sign-on
  2. Under Attributes & Claims, click Add a group claim
  3. Select Groups assigned to the application (recommended) or All groups
  4. Set the Source attribute to a value appropriate for your setup (e.g., sAMAccountName or Display name)
  5. Note the Claim name that Azure generates (e.g., http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) and share it with your Cognition account team

Other SAML Identity Providers

For other IdPs (ADFS, Ping Identity, OneLogin, etc.):
  1. Add a group attribute statement to your SAML application configuration
  2. Configure it to send the user’s group memberships
  3. Note the exact attribute name and share it with your Cognition account team

Step 4: Send Configuration to Cognition

Send the following to your Cognition account team:
  1. Sign In URL (e.g., https://idp.example.com/sso/saml)
  2. X509 Signing Certificate (the public certificate file or PEM-encoded text)
  3. Identity Provider Domains (all email domains for this IdP)
  4. Group Attribute Name (if using IdP groups) — the exact SAML attribute name configured in Step 3

Step 5: Complete Configuration with Cognition

After receiving your configuration, your Cognition account team will:
  1. Create the SAML connection and provide you with the Entity ID / Audience URI and a connection name
  2. Map your group attribute (if applicable) so that IdP groups sync automatically on each user login
Once you receive the Entity ID, update your SAML application’s Entity ID / Audience URI setting with the provided value.
Devin sends signed SAML authentication requests. Your SAML metadata file will be available at:
https://auth.devin.ai/samlp/metadata?connection=<connection_name>
where <connection_name> is the connection name provided by your Cognition account team. Import this metadata into your IdP to complete the trust configuration and enable request signature verification.

Verifying Your Setup

After you have updated the Entity ID and your Cognition account team confirms the configuration is complete:
  1. Navigate to your Devin Enterprise URL (e.g., https://<your_subdomain>.devinenterprise.com)
  2. Click Sign in with SAML (or the equivalent SSO button) to initiate the login flow
  3. You should be redirected to your IdP’s login page
  4. After authenticating, you should land in your Devin Enterprise organization
To verify IdP groups are working:
  1. Go to Settings > IdP Groups in the Devin webapp
  2. You should see your IdP groups listed after at least one group member has logged in
  3. Groups are synced on each login, so any membership changes in your IdP will take effect the next time a user signs in
IdP groups are fetched upon user login, so changes in group membership will require reauthentication. See IdP Group Integration for more details on configuring group-based access control.