Enable single sign-on for your organization’s managed Meta accounts in Admin Center

Only admins with relevant permissions can configure SSO.
You can allow people to access their managed Meta account with single sign-on (SSO) by integrating Admin Center with an identity provider (IdP) that manages user authentication.
This means people can log into their accounts using the same SSO credentials they use with your other systems.
We recommend that you verify your organization’s domain in Admin Center before you enable SSO.
If you are migrating to managed Meta accounts for Meta business tools, then you can set up SSO in Business Manager during the migration process. This article is about setting up SSO in Admin Center, which you can do if you’re setting up Meta Quest for Business or after you’ve completed the migration process for Meta business tools.
Enable SSO for your organization in Admin Center
  1. Log into Admin Center.
  2. Click Security in the left menu.
  3. Click Single sign-on in the left menu.
  4. Copy our SSO metadata and add it to your IdP. When completed, click I’ve added the metadata.
  5. Complete the Add your IdP’s SSO metadata section. This includes:
    • The name of your SSO setup
    • SAML URL
    • SAML Issuer URL
    • SAML Certificate
    • The option to enable SAML single logout if your IdP supports this. By enabling SAML single logout, if people using SSO log out of their IdP, they will also be logged out of their managed Meta account. Also, if they log out of their managed Meta account, a request will be sent to the IdP to log out the user from their IdP session. If you want to enable SAML single logout, you will need to:
      • Add your ACS (Assertion Consumer Service) URL from the section above to your IDP’s SAML configuration as the Logout URL.
      • Find your SAML Single Logout URL in your IDP settings, then add this to the SAML Single Logout URL box on Admin Center.
  6. Click Validate IdP metadata.
  7. Enter a testing email address, then click Test SSO.
    • Make sure your testing email address can be used for SSO via the IdP you are adding. You will also need to make sure you are already logged into the IdP with this email address (or that you are able to during the test).
  8. A new tab will open with your IdP login page.
  9. Return to Admin Center, then click Check result.
  10. Assign email domains so that people with these email domains can log in with SSO. If you leave domains unassigned, people will need to log in with a password.
  11. Click Activate SSO to turn it on.
    • Clicking Save saves your changes but does not activate SSO.
People with email address domains that are included in your SSO settings will log into their managed Meta account with SSO, unless you select otherwise. If their email address domain has not been included, they will log in with a password.
SSO re-authentication settings
You can configure Admin Center to prompt for a SAML check every day, three days, week, two weeks, month or never.
You can also force a SAML reset for everyone by clicking Require now next to Require everyone to re-authenticate now.
Was this helpful?
Yes
No