SAML 2.0 SSO is included in the standard Pro plan — no enterprise tier, no sales call. Integrate with Okta, Microsoft Entra ID or Google Workspace and manage SealedKeys access through your existing identity provider.
Register SealedKeys as a SAML 2.0 application in your Okta admin panel. Copy the metadata URL into SealedKeys Settings → SSO. Done.
Works with Okta Classic and Okta Identity Engine. Group-based assignment supported.
Create an Enterprise Application in Entra ID with SAML authentication. Paste the metadata XML into SealedKeys Settings → SSO.
Works with Microsoft 365 tenants. Azure AD B2B guest users supported via standard SAML flow.
Add a custom SAML app in your Google Workspace Admin console. Copy the SSO URL and certificate into SealedKeys Settings → SSO.
Works with all Google Workspace plans. OU-based access control supported.
Paste your IdP's SAML metadata URL or XML into SealedKeys Settings → SSO. One-time setup per organisation.
They click 'Sign in with SSO', enter their organisation domain, and are redirected to your identity provider. Corporate credentials handle authentication.
SSO handles identity only. Each user's vault key is still derived from their vault password client-side — the identity provider never has access to encrypted secrets.
Remove the user from SealedKeys in your IdP or in Settings → Members. Access is revoked on the next authentication attempt — no separate offboarding step.
No. SAML 2.0 SSO is included in the standard Pro plan at £3.49/user/month. There is no separate enterprise tier required for SSO. Configure Okta, Entra ID or Google Workspace directly in Settings → SSO.
SSO handles authentication — proving who you are. It does not handle vault decryption. Your vault key is derived from a separate vault password in your browser using PBKDF2-SHA256. The identity provider never sees your vault key or your secrets. This means even if your IdP were compromised, your vault remains encrypted.
Users who have set a vault password can still log in with their email and vault password during an IdP outage. SSO is an additional authentication path, not the only one. This prevents a single point of failure in your access control.
SSO enforcement — requiring all team members to authenticate via the identity provider — is available on Enterprise plans. On Pro, SSO is an option users can choose. Contact hello@sealedkeys.com for Enterprise.
SCIM provisioning — automatically creating SealedKeys accounts when users are added to the IdP group — is on the Enterprise roadmap. Pro includes SSO but requires manual user invitation in SealedKeys.
SealedKeys supports SAML 2.0 HTTP POST binding and the SP-initiated authentication flow. The SP metadata is available at your organisation's SealedKeys SSO settings page once SSO is configured. Contact hello@sealedkeys.com for IdP-initiated flow requirements.
25 items free. SAML SSO in Pro at £3.49/user/month. No credit card.