Integrating with SAML2 Single Sign-On

Customers using SAML 2.0-enabled versions of Microsoft Entra ID and Google Workspace can provide their ChurchSuite and CharitySuite users with a Single Sign-On (SSO) experience, allowing them to access the system using their existing Entra ID or Google credentials. Email support@churchsuite.com to request that the SAML2 integration be enabled on your ChurchSuite or CharitySuite account, and then follow the instructions in this article to complete the integration process.

In this article

Introduction and intended functionality
Beginning the SAML2 integration
Using the Microsoft Entra ID service
Using the Google service
Enabling SSO for users

Introduction and intended functionality

Organisations using SAML2-enabled versions of Microsoft Entra ID and Google Workspace can provide their ChurchSuite and CharitySuite users with a secure Single Sign-On (SSO) experience, allowing them to log into the system using their existing Entra ID or Google credentials.

Changes made to SAML2 service user permissions do not apply to ChurchSuite/CharitySuite. Your ChurchSuite/CharitySuite account has its own administrator-managed user permissions for modules and sites, which are managed on a user-by-user basis within the system. Similarly, the distinction between Administrators and Users in ChurchSuite/CharitySuite is unrelated to the level of service user permissions set within Microsoft Entra ID or Google Workspace. However, when a service user's access is revoked in a SAML 2 service, that SSO-enabled user will no longer be able to access ChurchSuite/CharitySuite; nevertheless, you may want to archive (or, with caution, delete) their user profile as a separate task. See our related support article on Adding and managing users for further information.

When SAML2 SSO is enabled for a ChurchSuite/CharitySuite user, their username and password are disabled to prevent use. Additionally, the ChurchSuite/CharitySuite password change/reset workflows and multi-factor authentication are disabled and bypassed for that user. An SSO-enabled user is also prevented from changing their ChurchSuite user email address.

SAML2 SSO can only be disabled in ChurchSuite/CharitySuite by an Administrator. Resetting the SAML2 integration will disable SSO for all users. When SAML2 SSO is disabled, a user's previous ChurchSuite/CharitySuite username and password are reactivated. A password reset request can be sent to encourage users to secure their user account with a new password and enable multi-factor authentication.

Beginning the SAML2 integration

Completion of the SAML2 integration assumes familiarity with the advanced configuration settings of your SAML2 service.

From the Integrations section of your Account area, click SAML2:

Click to see a larger version

Click Edit.

Click to see a larger version

On the Edit pop-up, select the SAML Service. The other settings will change to reflect the selected Service. Rather than manually populating responses into the integration fields, you can optionally upload a metadata XML file that will automatically populate the form. This method is recommended and minimises the risk of mistakes, which will lead to the integration failing. We'll look at how to obtain this from your chosen service in the next sections.

Click to see a larger version

Using the Microsoft Entra ID service

NB: This section and it's screenshots are correct at the time of writing (July 2026). As Microsoft makes changes, nuances of our description and screenshots may become outdated.

Navigate to the Microsoft Azure Portal and use your credentials to sign in. Click Microsoft Entra ID.

Click to see a larger version

In the Manage menu, choose Enterprise applications.

Click to see a larger version

Select New application and then Create your own application - this may take a few moments.

Click to see a larger version
Click to see a larger version

Insert the app name (we've used ChurchSuite) and select Integrate any other application you don't find in the gallery (non-gallery), then Create.

Click to see a larger version

Next, choose 2. Set up single sign on and select SAML.

Click to see a larger version
Click to see a larger version

Edit the Basic SAML Configuration section.

Click to see a larger version

Using the Service Provider Details from within ChurchSuite/CharitySuite, copy and paste the details into the relevant fields.

Click to see a larger version
Click to see a larger version

Once you're happy that the detail match, click Save and then exit the Basic SAML Configuration area using the X.

Click to see a larger version

You may be prompted to test single sign-on - decline this using the No, I'll test later option.

Click to see a larger version

Download the Federation Metadata XML...

Click to see a larger version

...then Choose the downloaded file in ChurchSuite/CharitySuite - the Entra Identifier, Login URL and Certificate application details will be automatically populated. Alternatively, add these manually. Click Save.

Click to see a larger version
Click to see a larger version

Finally, back in your Microsoft account, ensure that the app Users and Groups reflect those who you wish to use SAML2 Single Sign on.

Click to see a larger version
Next...

Once the integration settings are correctly configured, you can begin enabling SAML2 single sign-on for your ChurchSuite/CharitySuite users, as explained in the final section.

Click to see a larger version

Using the Google service

NB: This section and it's screenshots are correct at the time of writing (July 2026). As Google makes changes, nuances of our description and screenshots may become outdated.

Navigate to Google Workspace's Admin Console and use your credentials to sign in. Click Apps then Web and mobile apps.

Click to see a larger version

Click Add app and choose Add custom SAML app.

Click to see a larger version

Enter the App Name and click Continue.

Click to see a larger version

Click Download Metadata to download the metadata XML file.

Click Continue.

Click to see a larger version

Back in ChurchSuite/CharitySuite, Choose the downloaded file - the Entity ID, SSO URL and Certificate application details will be automatically populated. Alternatively, add these manually. Don't click save just yet!

Next, copy the ACS URL and Entity ID details back into your Google Service Provider Details section and Continue...

Click to see a larger version
Click to see a larger version

...then click Save back in ChurchSuite/CharitySuite.

Click to see a larger version
Next...

Once the integration settings are correctly configured, you can begin enabling SAML2 single sign-on for your ChurchSuite/CharitySuite users, as explained in the next section.

Click to see a larger version

Enabling SSO for users

Top tip - migrating from legacy SSO

If you're migrating from the legacy Entra ID or Google SSO integration, you'll need to first Disable SSO for your users. You can do this using the Bulk Actions.

Click to see a larger version

You can then Reset your previous SSO integration...

Click to see a larger version

...and proceed to Enable SAML2 SSO for your users as per the below.

From a user profile:

Working within the Users section of your Account area, first select Enable SAML2 SSO from a user's profile.

Click to see a larger version

You must first verify that the user's email address matches an active SAML2 service user; otherwise, they will be unable to log in to ChurchSuite. Once you are happy, tick the confirmation checkbox and click Save.

Click to see a larger version

The user profile updates to show that Single Sign-On is active. Note the option to Disable SAML2 SSO.

Click to see a larger version
From the Users list:

Using the Bulk Actions, you can enable and disable SAML2 SSO for multiple selected users within the Users section of the Account area.

Click to see a larger version

First, ensure that each selected user's email address matches an active SAML2 service user's email address; otherwise, users will be unable to access ChurchSuite/CharitySuite. Once you are happy, tick the confirmation checkbox and click Save to apply the changes to the selected users.

Click to see a larger version

An icon in the Users section distinguishes SSO-enabled users.

Click to see a larger version

The Filters can be used to filter and see just those users with SSO enabled or disabled.

Click to see a larger version

Once SSO is enabled for a ChurchSuite/CharitySuite user, any previously set ChurchSuite/CharitySuite username and user password are disabled to prevent use. An 'SSO Enabled' notification is sent to the user, shown in the user's communication log, and a user change log is added. An SSO-enabled user is prevented from changing their user email address. Additionally, the ChurchSuite password change/reset actions and multi-factor authentication functionality are disabled and bypassed for that user.

When an SSO-enabled user next logs in, they can access ChurchSuite/CharitySuite by clicking Continue with Microsoft Entra ID or Continue with Google:

Click to see a larger version
Click to see a larger version

The user may be asked, upon their first login, to confirm access permissions - once confirmed, they won't be asked about this again.

Disabling SSO

SSO can only be disabled for a user by a ChurchSuite/CharitySuite Administrator. Resetting the SAML2 integration will disable SSO for all users. When SSO is disabled, a "SSO Disabled" notification is sent to the user, displayed in the user's communication log, and a user change log entry is added. The previous ChurchSuite/CharitySuite username, user password and password change/reset actions are reactivated for that user. When disabling SSO, a password reset request can be optionally sent to encourage users to secure their ChurchSuite/CharitySuite& login with a new password and enable multi-factor authentication.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact ChurchSuite Contact ChurchSuite