What Is SAML2 and Why Does It Matter for Your Organization?
SAML2 – Security Assertion Markup Language version 2 – is the open standard that powers single sign-on (SSO) across enterprise applications. It lets your Identity Provider (IdP), such as Microsoft Entra ID or Okta, handle the login and then send a digitally signed message to a service like Simplelists confirming who the user is. The user gets in. No extra password. No extra login screen.
That matters more than ever in 2026. Over 82% of enterprises with 1,000 or more employees have adopted SSO systems to strengthen access control and reduce credential fatigue, according to recent SSO market research. The SSO market itself is projected to reach $9.4 billion by 2030, driven by the simple reality that managing dozens of separate logins creates real security exposure and real frustration for your team.
For organizations running Simplelists for group email management, enabling SAML2 SSO means your team signs in exactly the way they sign in to every other business application – through your corporate IdP. Access is centralized. Offboarding is instant. Auditors get the trail they need. And your IT team stops fielding password reset requests.
Why SSO Is a Priority in 2026
- A 2025 study found SSO effective for 80% of participating organizations, with an average 35% decrease in security incidents after implementation
- Credential abuse accounted for 22% of security incidents in Verizon’s 2025 Data Breach Investigations Report
- Organizations implementing SSO save an average of 1,200 IT hours per year from reduced password reset requests
- 68% of employees switch between ten apps or more every hour – SSO eliminates the friction for every one of those switches
How SAML2 SSO Works in Simplelists – in Plain English
There are three components to any SAML2 setup, and Simplelists plays a specific role in each one.
Identity Provider (IdP)
Where the user signs in. This is your existing corporate system – Microsoft Entra ID, Okta, ADFS, Auth0, Ping, or Shibboleth. You control this. You set the password policy, MFA rules, and who gets access.
Service Provider (SP)
The application the user wants to access. In this case, that’s Simplelists. Once you configure the Simplelists authentication provider, it becomes a trusted endpoint your IdP knows about and can route users to.
SAML Assertion
The signed digital message your IdP sends to Simplelists during sign-in. Think of it as a tamper-proof ID badge: it confirms who the user is, that the IdP vouches for them, and that the message hasn’t been altered in transit.
When everything is configured, the process is invisible to your users. They click Simplelists on their app portal, your IdP checks their session, issues a signed assertion, and they land straight in Simplelists – no separate login required. Authentication happens at your IdP, in your environment, under your policies. Simplelists simply accepts the signed confirmation and grants access.
What You Need Before You Start
SAML setups have a reputation for being awkward. They don’t have to be – the most common problems come from doing the steps out of order or not having the right access ready upfront. Before you begin, make sure you have these three things in place.
- Admin access to your Simplelists account. You’ll need to create and configure an authentication provider in Simplelists, which requires administrator permissions.
- Admin access to your Identity Provider. You’ll be registering Simplelists as a trusted application in your IdP, uploading metadata, and configuring certificates – all admin-level tasks.
- One test user. Before rolling out SSO to your whole organization, validate the entire sign-in flow with a single user. Simplelists applies authentication per user, which makes this easy to do safely.
That’s it. If you have those three things, you’re ready to go.
Step-by-Step: Setting Up SAML2 SSO in Simplelists
The setup follows a clear two-step sequence. Starting in the right place saves you a lot of back-and-forth.
STEP 1 – Set Up in Simplelists First
Always start on the Simplelists side. This is where you create the authentication provider and get the exact values your IdP will need – including the metadata file, signing certificate, and the RelayState value used for IdP-initiated sign-in.
Starting here means you’ll never have to guess what to enter in your IdP. Everything your IdP asks for – entity IDs, callback URLs, certificate files – comes directly from this provider configuration.
Key decisions you’ll make at this stage include whether to use unique URLs (recommended if you may ever run more than one Simplelists instance), which user attributes Simplelists should update on each sign-in, and whether to enable group mapping.
Configure your Simplelists SAML2 provider →STEP 2 – Configure Your Identity Provider
Once your Simplelists authentication provider is ready, take the metadata, certificate, and RelayState value into your IdP. Each platform handles this slightly differently. Use the guide that matches your setup:
| Identity Provider | Key Thing to Know | Setup Guide |
|---|---|---|
| Microsoft Entra ID (Azure AD) | Import the Simplelists saml.xml to prefill most settings; download the Base64 certificate and federation metadata XML to bring back | Microsoft Entra ID SAML2 setup guide → |
| Okta | Identifiers must match exactly – pay close attention to the single sign-on URL and audience URI; set email as the app username | Okta SAML2 setup guide → |
| ADFS | Import the Simplelists metadata for the fastest setup; configuring the claims issuance policy correctly is the step most commonly missed | ADFS SAML2 setup guide → |
| Auth0 | Certificate formatting matters – the signing certificate must be single-line with embedded newlines when uploaded back to Simplelists | Auth0 SAML2 setup guide → |
| Ping | RelayState goes in the Target Application URL field – easy to miss; consider whether to enforce signed AuthnRequests before testing IdP-initiated sign-in | Ping SAML2 setup guide → |
| Shibboleth | Add the Simplelists metadata to your configuration, adjust relying party settings, and allow the email address NameID format | Shibboleth SAML2 setup guide → |
STEP 3 – Test with One User First, Then Roll Out
Because Simplelists applies authentication at the individual user level, you can assign SAML2 to a single test user, confirm the full sign-in flow works end to end, and then expand to the rest of your organization when you’re confident everything is stable.
This approach means zero disruption to your existing users during setup. Move one person first. Validate. Then migrate everyone else at a time that suits your team.
What SSO Means for Your Team Day-to-Day
Enabling SAML2 SSO in Simplelists isn’t just a security checkbox – it changes how your organization manages access in a way that saves real time every week.
For your team members, Simplelists simply appears in their existing app portal alongside every other application. They click it, they’re in. No Simplelists password to remember, reset, or forget.
For your IT team, access management becomes centralized. When someone leaves your organization, you disable their account in your IdP and their access to Simplelists – along with every other application – is revoked immediately. No manual cleanup, no orphaned accounts.
For compliance teams, the audit trail lives where it always has – in your IdP’s logs. Authentication events are centralized and consistent, which makes your next audit significantly easier.
SSO is included in the Simplelists Enterprise plan. If you’re evaluating whether Simplelists fits your organization’s needs, you can explore all Simplelists plans and pricing – including the one-month free trial available across all tiers, with no payment details needed to register.
When Something Goes Wrong: SAML2 Troubleshooting
Most SAML2 issues come down to a small number of root causes. Before you start changing things at random, check these three areas first – they account for the vast majority of failed or unstable SAML setups.
The Three Most Common Causes of SAML Sign-In Problems
- RelayState mismatch. The value your IdP sends must exactly match the RelayState configured in your Simplelists authentication provider. Check both sides character-by-character.
- Wrong certificate uploaded to Simplelists. Simplelists needs the certificate that actually signed the SAML message. Re-download the signing certificate directly from your IdP and upload it fresh.
- Group mapping enabled before groups are configured. If you’ve turned on group mapping in Simplelists but your SAML response isn’t sending group data, sign-ins will fail. Get basic sign-in working first, then add group mapping.
For a full checklist of what to verify – including sign-in loops, “worked once” scenarios, and certificate validation – see the Simplelists SAML2 troubleshooting guide.
Frequently Asked Questions
What is SAML2 and how does it work with Simplelists?
SAML2 is a standard that allows your Identity Provider to verify user identities and pass that confirmation to Simplelists as a signed digital message. The user logs in once through your IdP – Microsoft Entra ID, Okta, ADFS, or another supported provider – and Simplelists accepts the signed assertion without requiring a separate password. You can read the full technical background on the OASIS SAML standard specification.
Should I configure Simplelists or my Identity Provider first?
Always configure the Simplelists SAML2 authentication provider first. This is where you generate the metadata file, signing certificate, and RelayState value that your IdP will request. Doing it in this order means you never have to guess what to enter in your IdP – everything comes directly from Simplelists.
Which Identity Providers does Simplelists SAML2 SSO support?
Simplelists supports any SAML2-compliant Identity Provider. Step-by-step guides are available for Microsoft Entra ID (Azure AD), Okta, ADFS, Auth0, Ping, and Shibboleth. If you use a different provider, the general SAML2 setup principles apply – you’ll need your IdP’s metadata XML and signing certificate to complete the configuration.
Can I roll out SAML2 SSO to my organization gradually?
Yes. Simplelists applies authentication settings per user, which means you can assign SAML2 to one test user first, validate the full sign-in flow, and then expand to the rest of your team when you’re confident. There’s no need to switch everyone over at once – a phased rollout is the recommended approach.
What is RelayState and why does it keep causing problems?
RelayState is the value your IdP sends to Simplelists during IdP-initiated sign-in to route the login to the correct destination. Simplelists verifies that the received RelayState matches what’s configured in your authentication provider. Mismatches – even minor ones – cause failed logins. Each IdP places the RelayState value in a slightly different field; the IdP-specific guides call out the exact location for each platform.
What does “the signing certificate is incorrect” mean?
It means the certificate uploaded into your Simplelists authentication provider doesn’t match the certificate your IdP is actually using to sign the SAML messages. The fix is simple: re-download the signing certificate directly from your IdP and upload it to Simplelists again. Make sure you’re downloading the current, active certificate – not an old one.
Which Simplelists plan includes SSO?
SSO using SAML2 is included in the Simplelists Enterprise plan, which also supports up to 50,000 members (with additional member packs available), 24/7 priority support, and a service-level agreement. You can compare all Simplelists plans and pricing – a one-month free trial is available for new accounts, with no payment details required to register.
References & Further Reading
- Configuring a SAML2 Authentication Provider – Simplelists
- Configuring Microsoft Entra ID (Azure AD) for Simplelists SAML2 – Simplelists
- Configuring ADFS for Simplelists SAML2 – Simplelists
- Configuring Auth0 for Simplelists SAML2 – Simplelists
- SAML2 Troubleshooting Guide – Simplelists
- Single Sign-On in 2025: SSO Stats & Security Trends – Expert Insights
- SAML2 Technical Specification – OASIS Security Services Technical Committee
- 8 Single Sign-On (SSO) Best Practices – Reco
- Single Sign-On Service Market Size & Forecast to 2034 – Industry Research
Ready to set up SSO for your organization?
Start with the Simplelists SAML2 provider configuration, then follow the guide for your IdP. Your whole team can be signing in through SSO – no separate Simplelists password – in less than an hour.