Freepik

    SSO guide

    Set up SAML 2.0 Single Sign-On for your organization.

    Single Sign-On (SSO) lets your team authenticate through your organization's identity provider and access Freepik without separate credentials. SSO is available on Business and Enterprise plans using the SAML 2.0 protocol.

    In this article

    SSO availability by plan

    FeatureBusinessEnterprise
    SSO via SAML 2.0Yes (self-service)Yes (advanced)
    Domain verificationYesYes
    Multiple domainsLimitedUnlimited
    Dedicated SSO supportNoYes

    Before you begin

    To configure SSO you will need:

    • Administrator access to your Freepik Business or Enterprise account.
    • Administrator access to your identity provider (Okta, Microsoft Entra ID, Google Workspace, or another SAML 2.0 provider).
    • Access to your domain's DNS settings for domain verification.
    • The Freepik SAML values listed below (available in Settings → Security SSO in your Freepik admin panel).

    Freepik SAML values

    These values are the same regardless of which identity provider you use. Copy them from Settings → Security SSO in your Freepik admin panel.

    • Entity ID (Audience): https://id.freepik.com/sp
    • ACS URL (Reply URL): shown in your SSO settings panel. Each organization has a unique identifier appended to this URL.
    • Sign-on URL: shown in your SSO settings panel.

    Required attribute mappings

    All identity providers must send the following three attributes. Use Unspecified as the Name Format for each one.

    Attribute nameSource attribute
    emailuser.mail
    first_nameuser.givenname
    last_nameuser.surname

    Step 1: Verify your domain

    Before configuring your identity provider, you must verify ownership of your company domain.

    1. Go to Settings → Security SSO in your Freepik admin panel.
    2. Enter your company's domain (e.g., yourcompany.com). This is the domain after the @ symbol in your employees' email addresses.
    3. Copy the verification code provided by Freepik.
    4. Log in to your DNS provider (e.g., GoDaddy, Cloudflare, AWS Route 53) and add a new TXT record at the root domain with the verification code as the value.
    5. Return to Freepik and click Verify domain.
    DNS propagation may take up to 48 hours but typically completes within minutes.

    Step 2: Configure your identity provider

    Freepik supports any SAML 2.0 compatible identity provider. In all cases you will create a new SAML application, paste the Freepik SAML values, configure the required attribute mappings, assign users, and download the IdP metadata XML for the next step.

    Okta

    1. In your Okta Admin Console, go to Applications → Create App Integration and select SAML 2.0.
    2. Name the app Freepik. Click Next.
    3. In SAML settings, paste the Entity ID into Audience Restriction, and the ACS URL into Single Sign On URL, Recipient URL, and Destination URL.
    4. Configure the three attribute mappings (email, first_name, last_name).
    5. Click Next, select I'm an Okta customer adding an internal app, then click Finish.
    6. Go to the Assignments tab and assign the app to the users or groups who need access.
    7. Go to the Sign On tab and copy the Metadata URL or download the metadata XML.

    Microsoft Entra ID

    1. In the Microsoft Entra admin center, go to Identity → Applications → Enterprise applications → New application. Create your own application named Freepik.
    2. Click Set up single sign on and select SAML.
    3. In Basic SAML Configuration, paste the Entity ID, ACS URL, and Sign-on URL.
    4. Under Attributes and Claims, configure the three attribute mappings (email, first_name, last_name).
    5. In the SAML Certificates section, download the Certificate (Base64) and copy the App Federation Metadata URL.
    6. Go to Users and groups and assign the users or groups who need access.

    Google Workspace

    1. Sign in to your Google Admin console (admin.google.com) with a super administrator account.
    2. Go to Apps → Web and mobile apps → Add app → Add custom SAML app.
    3. Name the app Freepik. Click Continue.
    4. Download the IdP metadata XML from the Google Identity Provider details page. Click Continue.
    5. Enter the Entity ID, ACS URL, and Sign-on URL as service provider details.
    6. Add the three attribute mappings (email, first_name, last_name). Click Finish.
    7. In the app settings, click User access and enable the app for your users or organizational units.
    Other providers like Duo, OneLogin, Auth0, and Ping Identity also work with the same Freepik SAML values and attribute mappings.

    Step 3: Complete setup in Freepik

    1. Return to Settings → Security SSO in Freepik.
    2. Upload the metadata XML file from your identity provider.
    3. SSO starts in Flexible mode by default so you can test without disrupting existing logins.
    4. Once confirmed working, choose your preferred enforcement mode.

    Enforcement modes

    After configuring SSO, choose how strictly it is enforced across your organization:

    ModeBehavior
    FlexibleUsers can sign in via SSO or email and social login. Ideal for testing before full rollout.
    RestrictedExisting users keep email and password login. New registrations are blocked outside of SSO.
    StrictAll users must sign in via SSO only. Email and password login is disabled.
    Start with Flexible mode to verify the configuration works. Once confirmed, switch to Restricted or Strict.

    Troubleshooting

    Email address not valid error

    This means the attribute mappings in your identity provider are incorrect or missing. Verify that your IdP sends the three required attributes (email, first_name, last_name) with the correct source values and Unspecified name format.

    Certificate error

    The certificate in the uploaded metadata XML is invalid, expired, or does not match the active identity provider. To fix it:

    1. Re-download the latest XML metadata from your identity provider.
    2. Make sure the certificate in the XML is correct and active.
    3. Upload the new XML file without modifying it.

    If the error persists, contact your IT or security team to verify the certificate configuration in your IdP.

    Frequently asked questions

    Can I use SSO with multiple domains?

    Yes. Business plans support a limited number of domains. Enterprise plans allow unlimited domains, which is useful for organizations with multiple subsidiaries or regional domains.

    What happens to existing users when I enable SSO?

    It depends on the enforcement mode. In Flexible mode, nothing changes. In Restricted mode, existing users keep their current login methods but new registrations are blocked outside SSO. In Strict mode, all users must use SSO.

    Can I enforce SSO for all users?

    Yes. Set the enforcement mode to Strict. All users with emails matching your verified domain will be required to sign in through SSO.

    Which identity providers are supported?

    Any provider compatible with SAML 2.0. This guide covers Okta, Microsoft Entra ID, and Google Workspace, but others (Duo, OneLogin, Auth0, Ping Identity) work with the same Freepik SAML values.

    Can't find an answer to your question?

    Our support team is here to help you with any questions or issues.

    Submit a request