Skip to main content

How to add device security verification to Notion

License requirements

To configure Notion with XFA you need the Business or Enterprise license that includes the SAML SSO feature. You can find more information about the different licenses here.

Notion' SSO feature can be used to chain XFA with your identity provider to verify device security before allowing a user to log in. This guide will describe all steps needed to link Notion to XFA, which in turn links to your identity provider.

Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at

Configure Notion with XFA in your identity provider

Use our specific identity provider guides to learn how to setup an application with the provided settings.

Copy the SSO URL, Entity ID and Certificate from the identity provider to use in the next steps.

Use the pre-created Notion app in Google Workspace

Instead of creating a custom SAML application, search for the Notion (Web/SAML) application in de gallery of Google Workspace.

SAML Application Settings for IdP

Entity ID:
ACS URL / Redirect URL:
Signed Response: false

An attribute mapping will be requested, use the following values:
firstName: First name
lastName: Last name
email: Primary email


The ACS URL / Redirect URL is different than the standard Notion configuration

Verify your organization domains in Notion

Notion workspaces require that all domains (e.g. of your users that will use SSO are verified.

This can be done by clicking on Settings & members in your worspace and navigate to Verified domains, where you can add a domain and verify it.

Adding a new domain consists of:

  • Adding a TXT record (provided by Notion) to your domain's DNS settings.
  • Click on Verify in Notion.
Multiple domains

If you have multiple domains that will use SSO, you need to verify all of them.

Get Workspace Assertion Consumer URL from Notion

To have all the information for the following steps, click on Settings & members in your workspace and navigate to Identity & Provisioning.

Under SAML Single Sign-On, enable the Enable SAML SSO switch (or Edit SAML SSO configuration button) to reveal a popup that shows the Assertion Consumer URL for your Notion workspace.

Copy this value (e.g.<workspace-id>) and leave the popup open.

Creating an application in XFA

A guide on how to create an application in XFA can be found here.

Settings to use in XFA

Assertion Consumer Service URL:<workspace-id> (from the previous step)
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)

You will can either download the metadata XML file or copy the URL to the metadata in the XFA application settings to use in the following step.

Configure Notion with XFA

1. Login to your Notion workspace and navigate to the SAML settings

Go back to the open popup from the previous steps in notion or navigate to Settings & members > Identity & Provisioning > SAML Single Sign-On > Enable the Enable SAML SSO switch or click on Edit SAML SSO configuration.

2. Provide the Metadata XML file or URL

In the popup, you can either upload the metadata XML file or provide the URL to the metadata XML file from XFA.

3. Save the configuration

Click on Save changes to save the configuration. Your users will now be asked to verify their device security with XFA in addition to their identity before they can login with SSO to Notion.

Next Steps

Your users can now login through SSO by clicking on Log in with SSO on the Notion login page. After which they will be guided to the identity provider before their device security is verified with XFA.

User can still use their previous login method (if not SSO) which allows them to bypass the device security verification. To enforce device security verification, you can disable the other login methods in the SAML settings in Notion.

Disable other login methods

To disable other login methods, navigate to Settings & members > Identity & Provisioning > SAML Single Sign-On and select the 'Only SAML SSO' option for Login Methods.

This will disable all other login methods and only allow users to login through SSO, requiring device security verification with XFA.