SAML SSO with Microsoft Entra ID (previously Azure Active Directory)

Here's a guide to get started with SAML SSO with Microsoft Entra ID for your Whimsical workspace, but for the easiest setup experience, use the pre-built Whimsical integration in the Entra ID.

SAML SSO is only available on our Org plan.
You must be an admin to enable SAML SSO.
Whimsical also supports SCIM Provisioning with Microsoft Entra ID.

If you prefer to set things up manually, here are a few gotchas to keep in mind:

The “Reply URL” value can be found in your Whimsical Workspace settings under “ACS URL”
The “User Attributes & Claims” must be without namespace, and the capitalization is important

Example of a complete, working SAML setup:

Listing of all claims/attributes:

Example of how to remove the Namespace URI for a claim:

After SAML SSO is configured, you can go back to your Whimsical Workspace settings and adjust two more things:

Default user role: Whimsical supports JIT (Just-in-time) account provisioning. That means that Whimsical will create an account for a user authenticating via SAML if necessary. New users will be created with the role and permissions you choose:
- Editors - paid role with full ability to create and edit content
- Viewers - free role with read and comment-only limited permissions
Require SAML for login: You can enable this optional setting if you want to prevent users from accessing your workspace with other means of authentication, such as a password or via Google SSO.

There are some attributes that are the same for all identity providers:

Entity ID: https://whimsical.com
Name ID Format: email@address.com
Username/Name ID: email@address.com

Whimsical uses the e-mail address of the SAML user to identify them on Whimsical. This will come up with configuration options like Name ID Format or Name ID. When in doubt, try to choose the option that will return the user's e-mail.