Available on the Enterprise plan.
Overview
SAML SSO lets your team log in to Wave through your organization’s identity provider (IdP). Instead of managing a separate Wave password, users authenticate with the same credentials they use for everything else. Wave supports SAML 2.0 and works with any standards-compliant identity provider, including Okta, Microsoft Entra ID, Google Workspace, OneLogin, JumpCloud, and Ping Identity. Wave also supports OpenID Connect (OIDC). Contact support@wavecnct.com if you need a guide.How It Works
There are two login paths depending on whether the user already has a Wave account. No account yet: The user clicks Sign in with SSO on the Wave login page and enters your organization’s username. This username is found in your organization settings. Wave redirects them to your identity provider, they authenticate, and their account is created automatically on first login. Existing account with SSO enforced: The user enters their email as usual. Wave detects that SSO is enforced for their organization and redirects them to your identity provider to authenticate.Setup
SAML SSO is configured by the Wave team. To set it up:Get Wave's SAML details
Contact your Wave account manager or support@wavecnct.com. They will provide:
- ACS URL (Assertion Consumer Service URL)
- Entity ID
- Name ID Format: Email address
Create a Wave app in your IdP
In your identity provider, create a new SAML 2.0 application for Wave. Use the ACS URL and Entity ID from the previous step.
Share your IdP metadata with Wave
Copy your identity provider’s SAML metadata URL (or download the XML file) and send it to your Wave account manager.