Suede Docs
Security

Set up SAML single sign-on

Configure SAML SSO for your organization with domain verification.

SAML single sign-on lets your team sign in to Suede through your identity provider (IdP). SSO is available on the Enterprise plan.

Setting up SSO requires two steps: registering your SAML provider in Suede, then verifying ownership of your email domain via a DNS TXT record.

Before you begin

  • Your organization must be on the Enterprise plan.
  • You need the admin or owner role on the organization.
  • You need access to your DNS provider to add a TXT record.

Register your SAML provider

Open SSO settings

Navigate to your organization's Settings > Security > Single Sign-On page.

Add a provider

Click Add Provider and fill in the SAML configuration:

  • Domain - The email domain your team uses to sign in (e.g., acme.com).
  • Issuer / Entity ID - The identifier your IdP assigns to the SAML application.
  • SSO URL - The IdP's single sign-on endpoint.
  • Certificate - The X.509 signing certificate from your IdP, in PEM format.

Save the provider

Click Save. The provider appears in the list with a "Pending verification" status.

Verify your domain

Domain verification proves you control the email domain associated with the SSO provider. Suede generates a DNS TXT record that you add to your domain's DNS configuration.

View the verification record

From the provider list, click Verify on the pending provider. Suede displays three values:

  • Record type: TXT
  • Record name: _better-auth-token-{providerId}.yourdomain.com
  • Record value: _better-auth-token-{providerId}={token}

Add the DNS record

Log in to your DNS provider and add a TXT record with the name and value shown. The exact steps vary by provider.

Wait for DNS propagation

DNS changes can take anywhere from a few minutes to 48 hours to propagate. Most providers complete within 15 minutes.

Check verification

Return to the Suede verification panel and click Check Again. If the TXT record is found and matches, the domain is marked as verified and SSO becomes active.

Verification tokens expire after 7 days. If your token expires before verification completes, request a new one from the SSO settings page.

Edit an existing provider

From the SSO settings page, select a provider and click Edit. You can update the Issuer, SSO URL, and Certificate. The certificate field is optional when editing. If you leave it blank, the existing certificate is preserved.

Domain changes require a new round of domain verification.

Set up two-factor authentication

Add TOTP-based two-factor authentication to your Suede account using an authenticator app.

On this page

Before you beginRegister your SAML providerOpen SSO settingsAdd a providerSave the providerVerify your domainView the verification recordAdd the DNS recordWait for DNS propagationCheck verificationEdit an existing provider