Set Up SSO in GoHighLevel

/ CRM, GHL / By

How to Set Up Single Sign-On (SSO) in GoHighLevel

Connecting your existing identity tools such as ClickUp, HR systems, or corporate directories to GoHighLevel allows your team to log in securely with one set of credentials. This guide walks you through configuring SAML-based Single Sign-On so that your agency or company can centrally manage access to your accounts.

The steps below are based on the official platform documentation and explain how to enable and test SSO from your agency settings panel.

What You Need Before Configuring GoHighLevel SSO

Before you start the GoHighLevel SSO configuration, make sure you have the following prerequisites ready:

  • An active GoHighLevel agency account with admin access.
  • Access to your identity provider (IdP), such as Okta, Azure AD, Google Workspace, or another SAML 2.0 provider.
  • Permission in the IdP to create or edit an application/integration.
  • Ability to copy and paste metadata values between your IdP and GoHighLevel.

SSO in GoHighLevel is based on SAML. Most enterprise IdPs support SAML and can be used by following the general instructions in this article.

Accessing the GoHighLevel SSO Settings

To begin, you must open the SSO configuration page inside your agency settings.

  1. Log in to your GoHighLevel agency account as an administrator.
  2. Navigate to the Agency view (top-left selector if you are inside a sub-account).
  3. Open Settings from the main left-hand menu.
  4. Locate and click the Single Sign-On or SSO section in the settings list.

This SSO screen is where you will enter SAML details from your identity provider and obtain the data that the provider requires from GoHighLevel.

Understanding the GoHighLevel SSO Fields

On the SSO configuration page, you will see several fields that must be filled in with SAML values. The naming may vary slightly between identity providers, but they map to the same concepts.

Core GoHighLevel SAML Settings

  • Entity ID / Audience URI: A unique identifier for the SAML service. Copy this value from GoHighLevel and set it as the Audience or Entity ID in your IdP application.
  • ACS URL / Single Sign-On URL: The Assertion Consumer Service endpoint where the IdP will post the SAML response. Enter this GoHighLevel URL in your IdP configuration.
  • Default Relay State (if applicable): Some IdPs allow a relay state. If your IdP supports it and you want users to land on a specific GoHighLevel page, use the given relay state guidance from the SSO screen.

Identity Provider Settings Required by GoHighLevel

When you create an application in your IdP, it will generate values you must paste back into GoHighLevel:

  • IdP Entity ID / Issuer: The unique identifier of your IdP. Copy this and paste it into the matching field in GoHighLevel.
  • IdP SSO URL / Login URL: The URL your users are redirected to for SSO authentication.
  • X.509 Certificate: The public certificate used by your IdP to sign SAML responses. Download or copy it from the IdP and paste the certificate block into GoHighLevel where requested.

Configuring Your Identity Provider for GoHighLevel

While each identity provider has its own interface, the process to configure SAML for GoHighLevel generally follows these steps:

  1. Create a new SAML application: In your IdP admin console, create or add a new SAML 2.0 application or enterprise app.
  2. Enter GoHighLevel SAML URLs:
    • Set the ACS URL or Single Sign-On URL to the value provided by GoHighLevel.
    • Set the Audience or Entity ID to the corresponding GoHighLevel Entity ID.
  3. Configure NameID: Choose the identifier used to map users. Typically, this is the user’s email address. Make sure it matches the email used in GoHighLevel user profiles.
  4. Set SAML attributes (if required): If your documentation or internal policy requires additional attributes (such as first name or last name), map them accordingly.
  5. Download IdP metadata or copy details: Obtain the IdP SSO URL, Entity ID, and X.509 certificate from your IdP.

Once this is done, return to the SSO settings page in your GoHighLevel dashboard to complete the integration.

Entering Identity Provider Details in GoHighLevel

Now that your IdP is configured, you need to connect it to GoHighLevel.

  1. In the Single Sign-On settings of GoHighLevel, locate the fields for IdP information.
  2. Paste the IdP Entity ID into the corresponding field.
  3. Paste the IdP SSO URL (or Login URL) into its field.
  4. Paste the full X.509 Certificate, including the BEGIN/END lines if provided.
  5. Save your SSO configuration.

After you save, GoHighLevel will use these values to verify incoming SAML responses from your identity provider.

Testing GoHighLevel SSO Before Rollout

Testing is critical before you deploy SSO to all users. Follow these steps for a safe test:

  1. Assign the application to a test user: In your IdP, grant access to a single test user or small pilot group.
  2. Confirm user email alignment: Ensure the test user’s email address in your IdP exactly matches their email in GoHighLevel.
  3. Use the SSO login URL: From the SSO configuration or your IdP application, open the SSO login link in a private/incognito browser window.
  4. Complete authentication: Log in using the test user’s IdP credentials and verify that you are redirected into GoHighLevel without password prompts from the platform.
  5. Check access: Confirm that the user can access the correct agency or sub-account areas based on your existing permissions.

If the test fails, review the SAML settings on both sides. Common issues include mismatched Entity IDs, incorrect ACS URL, or a misconfigured certificate.

Managing Users and Access with GoHighLevel SSO

Once SSO is working, you can expand it to your full user base.

  • Centralized user management: Control who can log in to GoHighLevel by assigning or removing access to the SAML app in your IdP.
  • Deprovisioning: When a user leaves your company, revoke their access in the IdP. This prevents new SSO sessions, but you can still manage roles and data inside GoHighLevel if needed.
  • Role management: Continue to manage user roles and permissions within GoHighLevel to ensure each person only accesses the appropriate accounts and features.

Troubleshooting Common GoHighLevel SSO Issues

If users cannot log in with SSO, check these items first:

  • Email mismatch: The email in the IdP must match the user’s email in GoHighLevel.
  • Incorrect URLs: Confirm the ACS URL and Entity ID in the IdP exactly match the values shown in GoHighLevel.
  • Expired or wrong certificate: If your IdP updates its X.509 certificate, you must also update it in the GoHighLevel SSO settings.
  • Clock skew: Large time differences between your IdP and GoHighLevel servers can cause token validation failures.

Always consult the official documentation for the latest, most precise field names and values used for Single Sign-On configuration.

Official GoHighLevel SSO Documentation & Helpful Resources

For full technical details, field screenshots, and the most current platform behavior, review the original SSO documentation here:

Official GoHighLevel SSO Setup Guide

If your agency needs strategic implementation support, systems consulting, or help building automations connected to your SSO environment, you can also explore specialized services at Consultevo.

By following the steps in this article and validating your configuration carefully, you can enable secure, centralized Single Sign-On for your entire team in GoHighLevel.

Need Help With ClickUp?

If you want expert help building, automating, or scaling your GHL , work with ConsultEvo — trusted GoHighLevel Partners.

Scale GoHighLevel

“`