Skip to content

This page is for Group Professional administrators who have configured and enabled single sign-on (SSO). Please see the documentation on configuring group SSO if this has not already been set up.

You can modify your SSO setup to complete tasks such as adding certificates, changing other aspects of your IdP configuration.

Managing your users in Overleaf

Group members list

Within your members management page you're able to see which members are linked to your SSO. Members will receive an email notification to authenticate with your SSO provider once SSO is enabled and they are also encouraged to do so after logging in. (See Managing a group subscription for how to add or remove group members.)

Your members will not be required to link to your SSO provider. Once linked, they will have the option to log in via SSO or other login methods unless Managed Users is enabled. See Making SSO an exclusive login option.

Group member dropdown menu

Via the three-dot menu at the end of the row in the members table, there are options to help manage your members. For members who are not linked, you can send an email reminder to authenticate with your SSO provider. For members who are linked, you can unlink them from your SSO provider so that they can reauthenticate. This action should only be taken when you need to correct the unique identifier associated with a specific user. See Updating your SSO setup below if the unique identifier needs to be corrected for all group members.

Understanding errors reported by users

Below are some errors that your users might encounter when authenticating their Overleaf account with your SSO provider for the first time or when trying to log in via your SSO provider.


This email address isn’t set up for SSO. Please check it and try again or contact your administrator.


Members will see this message if they try to log in via SSO but their account is not yet authenticated with your SSO provider. They will need to log into their Overleaf account as they did before. After logging in, members will be directed to the SSO enrollment page. They can also authenticate with your SSO provider via their user settings page.


Sorry, you are trying to log in to X but the identity returned by your identity provider is not the correct one for this Overleaf account.


The email address they tried to log in with is not associated with the unique identifier from your IdP. The member will need to log out of your SSO provider and log in with the correct account.


Sorry, the information received from your identity provider is not signed (both response and assertion signatures are required). Please contact your administrator for more information.


This is a configuration problem within your IdP. The authentication request with your SSO provider failed because your SSO provider is no longer sending a signed response and assertion.


Updating your SSO setup

Unlinking users from your SSO provider

Your Overleaf Group SSO settings include an option to Unlink users. If you are migrating to a new IdP or changing the attributes that are being sent to Overleaf by your IdP, you may need to use the Unlink users option.

Unlink users

The Unlink users option removes the unique identifier from every group member’s account, essentially removing the login option via your SSO provider. This action requires each user to relink their Overleaf account to their SSO identity and they will receive an email notification to do so. There is also the option to unlink individual users to correct issues unique to specific users. See Managing your users in Overleaf.

An administrator should unlink all members only if they are making a change to the IdP configuration that changes the name or the values of the Unique Identifier. All other aspects of the SSO configuration, including the Redirect URL and the Certificates can change without requiring the unlinking of users.

Updating your certificate

The certificates that IdPs use to sign the responses that they send to services expire after a certain period of time. It's important to keep the certificate that has been provided to Overleaf up to date. If your certificate has expired, your users will see an error when attempting to log in to Overleaf.

You can check on your certificate expiry dates in the SSO configuration section of your Group Settings.

SSO certificate

Overleaf's SSO configuration page provides a way to ensure that certificates can be replaced without interrupting access to the Overleaf service.

  1. Add the new certificate to Overleaf's SSO configuration page. You will now have two certificates configured: the original certificate and the updated new certificate.
  2. You can keep these two certificates in place until you have completed the certificate change over in your IdP.
  3. Once your IdP is using the new certificate, you can remove the original certificate in Overleaf.

Changing your IdP configuration

You might sometimes need to change other aspects of the Identity Provider (IdP) configuration. This can happen if you're changing the solution that you're using for your IdP, for example. In cases like this, you will have to temporarily disable SSO access.

You can disable SSO via your group settings page. After disabling, you can click View configuration and then Edit to modify and test your new IdP configuration.

When SSO access is disabled, Overleaf users can log in to their Overleaf accounts using their email address and an Overleaf-specific password. Users will receive a notification by email when SSO access is disabled. Once SSO is enabled again, they can log in again via SSO without needing to re-link their Overleaf account to their SSO identity. If your configuration changed the unique identifier then you will need to Unlink users. See Unlinking users from your SSO provider.

View SSO configuration

Related documentation

Overleaf guides

LaTeX Basics

Mathematics

Figures and tables

References and Citations

Languages

Document structure

Formatting

Fonts

Presentations

Commands

Field specific

Class files

Advanced TeX/LaTeX