Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.labelbox.com/llms.txt

Use this file to discover all available pages before exploring further.

Single sign-on (SSO) allows your team to log in to Labelbox using the same identity provider you use for other services—no separate Labelbox passwords required. Once SSO is enabled for your organization, Labelbox automatically detects your domain at login and redirects users to your identity provider for authentication. Single sign-on is an add-on available to Enterprise customers. To request this add-on, contact Sales.

Before you begin

To set up SSO, you’ll need to gather the following information from your identity provider. Most of this can be found in your identity provider’s admin console or extracted from a metadata XML file.

For SAML providers (recommended):
  • Sign-in URL: The login URL provided by your identity provider (sometimes called the SSO URL or SAML endpoint). This can be extracted from a metadata XML file if you have one.
  • X.509 signing certificate: The public certificate your identity provider uses to sign SAML assertions. This should be in PEM or CER format and can also be extracted from a metadata XML file.
  • Email domain(s): The domain(s) associated with users who will log in via SSO (e.g., yourcompany.com).
For OIDC providers:
  • Client ID: A unique identifier assigned to Labelbox by your identity provider when you register it as an application. Think of it as the “username” that tells your identity provider which application is requesting authentication.
  • Client Secret: A confidential key paired with the Client ID, used to verify that the authentication request is genuinely coming from Labelbox. Treat this like a password, never share it publicly.
  • Email domain(s): The domain(s) associated with users who will log in via SSO (e.g., yourcompany.com).
If your identity provider provides a metadata XML file, you can share that directly with Labelbox support. We can extract the required values from it.

How to enable SSO

SSO is configured by the Labelbox team on your behalf. To get started:
  1. Gather the required information listed above from your identity provider.
  2. Contact Labelbox support at support@labelbox.com with your SSO details. If you have a metadata XML file, attach it to your message.
  3. Labelbox configures the connection: Our team will set up the SSO connection for your organization using the information you provide.
  4. Test the integration: Once configured, you’ll be notified to test the login flow. Open the Labelbox sign-in page, enter an email address on your domain, and confirm you’re redirected to your identity provider correctly.
  5. After a successful test, SSO will be fully enabled for your organization.

Logging in with SSO

Once SSO is enabled for your organization:
  1. Navigate to app.labelbox.com.
  2. Enter your work email address.
  3. Labelbox automatically detects that SSO is configured for your domain and redirects you to your identity provider.
  4. Authenticate with your identity provider credentials as you normally would.
  5. You’re redirected back to Labelbox and logged in.
Note: Users do not need to enter a Labelbox password when SSO is enabled. Authentication is handled entirely by your identity provider.

Supported identity providers

Labelbox supports single sign-on using SAML 2.0 and OpenID Connect (OIDC) with standard-compliant identity providers. Commonly used providers include:
  • SAML 2.0
  • OpenID Connect
  • Microsoft Entra ID
  • Active Directory Federation Services (ADFS)
  • Okta
  • and other enterprise identity providers
You can install a verified version of the Labelbox Enterprise application in your Azure tenant to manage user access and configure SSO directly. For detailed steps, see the Labelbox tutorial on Microsoft Entra ID.

Troubleshooting

I entered my email but wasn’t redirected to my identity provider.
Make sure you’re using an email address that matches the domain registered for SSO. If you believe SSO should be configured for your domain, contact support@labelbox.com.

I’m getting an authentication error after being redirected.
This is often caused by a misconfigured attribute mapping or an incorrect certificate. Check with your identity provider admin to confirm the sign-in URL and certificate are correct, then reach out to Labelbox support with any error details.

Some users on my domain can’t log in via SSO.
Confirm that those users have been assigned the Labelbox application in your identity provider. Users must be provisioned in your identity provider to authenticate via SSO. Need help? Reach out to support@labelbox.com and our team will assist you.