Set up SAML Single Sign-On (SSO) in 15Five

Ben Pemstein Ben Pemstein
· Updated

Admins can configure SAML 2.0 Single Sign-On (SSO) so employees log in to 15Five using their organization's Identity Provider (IdP) credentials. When setup is complete, the SAML Single Sign-On page in 15Five shows a green enabled state and a valid metadata connection.

Note: SSO setup requires Admin access. If you do not see SAML Single Sign-On in Company Settings, contact 15Five Support to confirm your plan includes SSO.

Before You Begin

  • Obtain your IdP's XML Metadata file or URL from your Identity Provider before starting.
  • Enable Allow Password Sign In during setup so you retain email-and-password access while testing. Disable it only after SSO is confirmed working.
  • If you use SCIM or an HRIS integration, do not enable JIT provisioning — it will create duplicate accounts. See .

Steps

Phase 1: Set your subdomain

  1. Go to Company Settings > SAML Single Sign-On.
  2. Enter your company subdomain in the Subdomain field.

- Must be all lowercase with no spaces or special characters. - Must be unique across 15Five accounts.

  1. Click Save.

Phase 2: Add metadata and contact details

  1. Enter your IdP's XML Metadata URL or paste the raw XML Metadata directly.
  2. Enter an SSO contact email for the person responsible for your IdP configuration.
  3. Check Automatically update metadata to allow 15Five to sync IdP metadata changes without manual updates.
  4. Click Save.

Phase 3: Configure SAML settings

  1. Review and set each SAML option:

- SAML Single Sign-On Enabled — activates SSO for your account. - Allow Password Sign In — permits email-and-password login alongside SSO. Enable this during testing. - Allow IdP Initiated Login — allows users to launch 15Five directly from your IdP dashboard. - Allow Auto Login — automatically authenticates users already signed into your IdP. Requires Allow Password Sign In to be off. - Allow Creation of New Users (JIT Provisioning) — creates a 15Five account on first login for IdP-authorized users. See before enabling. - Require Manager Selection — prompts new users to select their manager on first login when manager data is not sent by the IdP.

  1. Click Save.

Phase 4: Set attribute mappings

  1. Verify the Name ID Contents and Email attribute name fields are filled in — both are required.
  2. If Name ID Contents is set to Not Used, fill in the Employee ID attribute name field.
  3. To sync manager data from your IdP, complete the Manager Attributes fields.

- Do not complete this step if SCIM or an HRIS integration is already active.

  1. Select at least one of Ensure Assertions Are Signed or Ensure Messages Are Signed.
  2. Click Save.
Note: If you need help matching your IdP's attribute names to 15Five fields, contact 15Five Support with your attribute mappings.

Phase 5: Test the configuration

  1. Log out of 15Five completely.
  2. Go to https://.15five.com.
  3. Click Sign in using Single Sign-On.
  4. Complete authentication through your IdP.

What success looks like: You are redirected to 15Five and land on your home page without being prompted for a 15Five password.

If Something Goes Wrong

Issue Check Fix
Redirected to error page after IdP login Confirm SAML Single Sign-On Enabled is checked and saved Re-enable the toggle and click Save
403 or 400 error on login Confirm the email in 15Five matches the email in your IdP exactly Update the mismatched email in Company Settings > People or in your IdP
422 misconfiguration error Check that Name ID Contents and Email attribute name are both filled in Correct attribute mappings in your IdP and in the SAML Single Sign-On settings page
"This subdomain is not configured for SAML2 authentication" Check for uppercase letters, spaces, or special characters in the subdomain field Re-enter the subdomain in all lowercase with no spaces or special characters and click Save
Azure AD AADSTS errors See Configure SSO with Azure AD for 15Five for Azure-specific error codes and fixes Follow the steps in that article to correct Sign-on URL, Entity ID, or app assignment
ADFS attribute mapping not working See Configure SSO with ADFS for 15Five for ADFS-specific claim rule requirements Configure the Transform rule and NameID format as described in that article

Not Covered Here

This article does not cover disconnecting SSO, managing employee accounts under SSO, IdP-specific configuration for Azure AD or ADFS, JIT provisioning behavior, or employee email update procedures. See the related articles below.

Related Articles

Was this article helpful?

Sorry to hear that. Tell us what was missing →