Notion
This guide explains how to set up single sign-on (SSO) between SmartLink and Notion using SAML 2.0.
Prerequisites
- Notion Enterprise Plan
- Administrative access to Notion
- Verified email domain in Notion
- Application configured in SmartLink with SAML2
Note: SAML SSO is available only with the Notion Enterprise plan.
Configuration in SmartLink
1. Create the Application
- Log in to SmartLink as an administrator
- Go to Applications → Add
- Create a new application:
- Name: Notion
- URL:
https://notion.so - Description: All-in-one workspace for notes and collaboration
- Icon: Choose the Notion icon
2. Configure SAML2
- In the Authentication tab
- Select SAML2
- Configure the following parameters:
- Entity ID:
https://[your-smartlink].link.vaultys.org/[appid] - ACS URL:
https://www.notion.so/sso/saml - Format NameID:
emailAddress - App ID:
[appid](automatically generated unique identifier)
- Entity ID:
3. Retrieve Metadata
Note the following URLs:
- IdP Metadata:
https://[your-smartlink].link.vaultys.org/api/saml2/[appid]/metadata - SSO URL:
https://[your-smartlink].link.vaultys.org/api/saml2/sso/[appid] - SLO URL:
https://[your-smartlink].link.vaultys.org/api/saml2/slo/[appid] - Entity ID:
https://[your-smartlink].link.vaultys.org/[appid] - X.509 Certificate: Download from SmartLink
Configuration in Notion
1. Access SSO Settings
- Log in to Notion as an administrator
- Go to Settings & Members
- Click on Security & identity
- In the SSO section, click on Configure SAML
2. SAML Configuration
Fill in the following fields:
Identity Provider Configuration
- Identity provider SSO URL:
https://[your-smartlink].link.vaultys.org/api/saml2/sso/[appid] - Identity provider issuer:
[appid] - Public certificate: Paste the X.509 certificate from SmartLink
Service Provider Configuration
- Entity ID:
notion.so(generated by Notion) - ACS URL:
https://www.notion.so/sso/saml(generated by Notion)
3. Attribute Configuration
Configure the SAML attribute mapping:
| Notion Attribute | SAML Attribute | Required |
|---|---|---|
email | ✅ | |
| First Name | firstName | ✅ |
| Last Name | lastName | ✅ |
| Display Name | displayName | ❌ |
4. Advanced Configuration
Automatic Provisioning
- Auto-provisioning: Enabled
- Update user info on login: Enabled
- Remove users on SCIM deprovision: As per your policy
Allowed Domains
- Add your company domains
- Verify them via DNS (TXT record)
- Enable Enforce SSO for these domains
Workspace Configuration
Organization of Workspaces
workspaces:
- name: "Engineering"
default_access: "member"
groups:
- "smartlink-engineering"
- "smartlink-developers"
- name: "Marketing"
default_access: "guest"
groups:
- "smartlink-marketing"
- name: "HR"
default_access: "no_access"
groups:
- "smartlink-hr"
- "smartlink-management"
Default Permissions
Configure in Notion:
- Settings & Members → Workspace settings
- Default permissions:
- Members can invite: ❌
- Members can create groups: ❌
- Members can export: ✅
- Members can use API: ✅
Group Management and Permissions
SCIM Configuration (optional)
For automatic group synchronization:
{
"scim_endpoint": "https://www.notion.so/scim/v2",
"scim_token": "bearer_token_xxxxxx",
"group_mappings": {
"smartlink-admins": "workspace_admin",
"smartlink-editors": "content_editor",
"smartlink-viewers": "content_viewer"
}
}
Available Roles
| Role | Permissions |
|---|---|
| Workspace Owner | Full access, billing management |
| Admin | Member and settings management |
| Member | Content creation and editing |
| Guest | Limited access to specific pages |
Configuration Testing
1. Connection Test
- Open a private browsing window
- Go to notion.so/login
- Click on Continue with SAML SSO
- Enter your company email
- You will be redirected to SmartLink
- After authentication, you will access Notion
2. Application Testing
- Desktop: Desktop application supports SSO via browser
- Mobile: iOS and Android support SSO
- Web Clipper: Browser extension compatible with SSO
3. API Verification
// Testing Notion API with authentication
const { Client } = require('@notionhq/client');
const notion = new Client({
auth: process.env.NOTION_TOKEN,
});
async function testConnection() {
const response = await notion.users.me();
console.log(response);
}
Integration with Notion API
Integration Configuration
- Settings & Members → My connections
- Develop or manage integrations
- Create a new integration:
{
"name": "SmartLink Integration",
"capabilities": {
"read_content": true,
"update_content": true,
"insert_content": true
},
"oauth_redirect_uri": "https://[your-smartlink].link.vaultys.org/callback"
}
Webhooks for Synchronization
// Webhook for syncing changes
app.post('/webhook/notion', async (req, res) => {
const { type, data } = req.body;
switch(type) {
case 'page.created':
await syncNewPage(data);
break;
case 'database.updated':
await syncDatabase(data);
break;
}
res.status(200).send('OK');
});
Troubleshooting
Error "SAML configuration is invalid"
Issue: Incorrect SAML configuration
Solution:
- Verify that the Entity ID is
[appid] - Check the format of the X.509 certificate (without extra spaces or line breaks)
- Ensure that the ACS URL is:
https://www.notion.so/sso/saml
Error "User email domain not authorized"
Issue: Email domain is not verified
Solution:
- In Notion → Security & identity → Domain management
- Add and verify your domain
- Add the DNS TXT record provided by Notion
Users are not auto-created
Issue: Auto-provisioning is not working
Solution:
- Check that Auto-provisioning is enabled
- Ensure that the mandatory SAML attributes are present:
emailfirstNamelastName
- Check the SAML logs in Notion
Group synchronization issue
Issue: Groups are not mapped correctly
Solution:
<!-- Correct SAML assertion for groups -->
<saml:Attribute Name="groups">
<saml:AttributeValue>smartlink-notion-admins</saml:AttributeValue>
<saml:AttributeValue>smartlink-notion-users</saml:AttributeValue>
</saml:Attribute>
Security
Best Practices
- Enforce SSO: Enable SSO requirement for all users
- Session timeout: Configure an appropriate session duration (recommended 8h)
- 2FA backup: Maintain an admin account with 2FA as backup
- Audit logs: Regularly review logs in Settings → Audit log
- API tokens: Manage API tokens for integrations separately
Advanced Security Configuration
{
"security_settings": {
"enforce_sso": true,
"session_duration": "8h",
"allow_public_sharing": false,
"disable_guests": false,
"disable_export": false,
"watermark_exports": true,
"audit_log_retention": "365d"
}
}
Compliance and Privacy
- GDPR: Notion is GDPR compliant
- SOC 2: Certification available
- Encryption: AES 256 at rest, TLS 1.2+ in transit
- Data Localization: Choose your region (US/EU)
Migration of Existing Users
Migration Script
import requests
import csv
def migrate_notion_users(csv_file):
"""Migrate users to SSO"""
with open(csv_file, 'r') as file:
reader = csv.DictReader(file)
for row in reader:
user_email = row['email']
# Send SSO invitation
send_sso_invitation(user_email)
# Disable old access
disable_password_login(user_email)
print(f"Migrated: {user_email}")
def send_sso_invitation(email):
# Logic to send the invitation
pass
User Communication
Email template for migration:
Subject: Migration to Single Sign-On (SSO) for Notion
Hello,
Starting from [DATE], we are migrating to single sign-on for Notion.
Actions required:
1. Use your work email to log in
2. You will be redirected to SmartLink
3. Use your usual SmartLink credentials
Benefits:
- Single password to remember
- Enhanced security
- Simplified access
Support: support@company.com