Single Sign-On (SSO) for Business and Enterprise

Overview

Single Sign-On (SSO) allows your team members to authenticate once through your organization's identity provider and seamlessly access Freepik without needing separate credentials. This feature is available for Business and Enterprise plans.

What is SSO and how does it work?

SSO uses the SAML 2.0 protocol to securely exchange authentication data between your identity provider (IdP) and Freepik. When a user attempts to log in, they are redirected to your organization's IdP for authentication. Once verified, they gain access to Freepik without entering additional credentials.

Key benefits include:

1. Enhanced security through centralized authentication
2. Simplified access management for administrators
3. Reduced password fatigue for team members
4. Automatic user provisioning
5. Compliance with enterprise security policies

SSO availability by plan

Before you begin

To configure SSO, you will need::

1. Administrator access to your Freepik Business or Enterprise account
2. Administrator access to your identity provider (Okta, Entra ID, Duo or Google Workspace)
3. Access to your domain's DNS settings for verification
4. The following information from Freepik (available in Settings > Security SSO)

Step 1: Add and verify your domain

Before configuring your identity provider, you must verify ownership of your company domain.

1.1 Navigate to SSO settings

Go to Settings > Security SSO in your Freepik admin panel.

1.2 Add your domain

Enter your company's domain (e.g., yourcompany.com). This is the domain that appears after the @ symbol in your employees' email addresses.

1.3 Copy the verification code

Freepik will provide a unique verification code in the format: freepik-domain-verification=XXXXX

Copy this entire string

1.4 Add DNS TXT record

Log in to your DNS provider (e.g., GoDaddy, Cloudflare, AWS Route 53) and add a new TXT record with the verification code as the value. Add it to the root domain, not a subdomain.

1.5 Verify the domain

Return to Freepik and click "Verify domain". DNS propagation may take up to 48 hours, but typically completes within minutes.

Step 2: Configure your identity provider

Select your identity provider below for specific configuration instructions.

🔶 Okta Configuration

Step 1: Create a new SAML application

In your Okta Admin Console, go to Applications > Applications > Create App Integration. Select "SAML 2.0" as the sign-in method.

Step 2: Configure general settings

1. Enter "Freepik" as the App name
2. Optionally upload the Freepik logo for easy identification
3. Click Next

Click Edit on "Basic SAML Configuration" and enter:

Step 3: Configure SAML settings

Step 4: Configure attributes and claims

Click Edit on "Attributes & Claims". Ensure the following claims are configured:

Step 5: Complete the setup

Click Next, select "I'm an Okta customer adding an internal app", then click Finish.

Step 6: Assign users

Go to the Assignments tab and assign the application to the users or groups who need access to Freepik.

Step 7: Get IdP metadata

Go to the Sign On tab and copy the "Metadata URL"or download the metadata XML. You'll need this to complete the setup in Freepik.

🔷 Microsoft Entra ID Configuration

Step 1: Create an enterprise application

In the Microsoft Entra admin center, go to Identity > Applications > Enterprise applications > New application > Create your own application. Name it "Freepik" and select "Integrate any other application you don't find in the gallery".

Step 2: Set up single sign-on

In the application overview, click "Set up single sign on" and select "SAML".

Step 3: Configure basic SAML settings

Click Edit on "Basic SAML Configuration" and enter:

Step 4: Configure attributes and claims

Click Edit on "Attributes & Claims". Ensure the following claims are configured:

Step 5: Download the certificate

In the "SAML Certificates" section, download the "Certificate (Base64)" and copy the "App Federation Metadata Url".

Step 6: Assign users and groups

Go to Users and groups > Add user/group. Select the users or groups who need access to Freepik.

Step 7: Copy configuration URLs

In the "Set up Freepik" section, copy:

1. Login URL
2. Microsoft Entra Identifier
3. Logout URL

You'll need these to complete the setup in Freepik.

🔴 Google Workspace Configuration

Step 1: Access the Admin Console

Sign in to your Google Admin console (admin.google.com) with a super administrator account.

Step 2: Navigate to SAML apps

Go to Apps > Web and mobile apps > Add app > Add custom SAML app.

Step 3: Enter app details

1. Enter "Freepik" as the app name
2. Optionally add a description and upload the Freepik logo
3. Click Continue

Step 4: Download IdP metadata

On the Google Identity Provider details page, download the IdP metadata XML file or copy the SSO URL, Entity ID, and Certificate. Click Continue.

Step 5: Configure service provider details

Enter the following values:

Step 6: Configure attribute mapping

Add the following attribute mappings:

Click Finish.

Step 7: Enable the app for users

In the app settings, click User access. Select "ON for everyone" or configure access for specific organizational units. Click Save.

Step 3: Complete SSO setup in Freepik

3.1 Return to Freepik SSO settings

Go to Settings > Security SSO in your Freepik admin panel.

3.2 Enter IdP information

Upload the metadata XML file from your identity provider.

3.3 Test the connection

By default your SSO configuration will be Flexible: Users can sign in using SSO or traditional methods like email and social login. Ideal for testing SSO without disrupting existing sign-in methods.

3.4 Choose your SSO

Flexible

Users can sign in using SSO or traditional methods like email and social login. Ideal for testing SSO without disrupting existing sign-in methods.

Restricted

Existing users can continue signing in with their password, but new user registrations are not allowed. This prevents new accounts outside SSO while keeping access for existing users.

Strict

Users can sign in using SSO only. Recommended for organizations that require centralized identity management.

Troubleshooting

❌ "success":false,"message":"Given email address is not valid","errorCode":0,"errorName":"INVALID_EMAIL_ADDRESS”

This error occurs when the SSO Attribute Statements are not correctly configured in your Identity Provider (IdP).

Our system expects specific user attributes to be sent during the SSO authentication process. If these attributes are missing, misnamed, or mapped incorrectly, the login will fail and return the “Given email address is not valid” error.

Your SSO configuration must include the following attributes:

❌ "Certificate" error

This error occurs when there is an issue with the XML metadata file uploaded during the SSO configuration.

Specifically, the certificate included in the XML file is not valid or does not match the expected configuration. As a result, the system is unable to verify the identity provider and the SSO setup fails.

Common causes

1. The XML file uploaded is outdated
2. The certificate in the XML does not belong to the active IdP
3. The certificate has expired
4. The XML file was modified manually and the certificate is malformed or incorrect

How to fix it

1. Re-download the latest XML metadata from your Identity Provider
2. Make sure the certificate included in the XML is correct and active.
3. Upload the new XML file again without modifying it

If the error persists, contact your IT or security team to verify the certificate configuration in your IdP.

Other Frequently Asked Questions

Can I use SSO with multiple domains?

Yes. Business plans support a limited number of domains, while Enterprise plans allow unlimited domains. This is useful for organizations with multiple subsidiaries or regional domains.

What happens to existing users when I enable SSO?

The behavior depends on the SSO enforcement mode you choose:

RestrictedActive: Existing users can continue signing in using their email and password meanwhile new user registrations are blocked outside of SSO

Strict: All users must sign in using SSO. Email and password login is disabled. Recommended for organizations that require full centralized identity management and stricter security controls

Can I enforce SSO for all users?

Yes. Once SSO is configured and verified, If you select “Strict Configuration”, you can enforce it for all users with emails matching your domain. Users will no longer be able to log in with username/password and must use SSO.