Setting up a Default Relay State for IdP Initiated - SAML Logins
Add a default landing url for users logging in through SSO
Go to Setting up a Default Relay State for IdP Initiated - SAML LoginsPublished August 01, 2025
Updating/Rotating your SSO certificate safely
How to safely, securely, update your identity provider's (Idp) signing certificate within Sanity. During this process, it's a good idea to keep two windows side by side:
- One with Sanity Manage.
- The other with the configuration settings of the IdP.
You will need to be an admin on both the project and organization within Sanity. You will also need access to your update cert in the Idp
Gotcha
Sanity treats each sign-in method as a separate account, even if the email is the same. For example:
- myname@google.com (Email + Password)
- myname@google.com (SSO via your IdP)
These accounts are distinct and may have different permissions.
Ensure you have a non-SSO admin account for backup access to your org. This is especially important if your SSO configuration fails. Otherwise, you’ll need to contact Sanity support.
Go to your Idp. Copy the current certificate in case you need to revert. (Make sure you have another admin account that can log in with email/password instead of SSO before rotating! Or you will be locked out). You can now rotate the signing certificate in your Idp.
Gotcha
During this time, where you have a new signing certificate in your Idp and it is not updated in Sanity your users may see an error: {"statusCode":422,"error":"Unprocessable Entity","message":"Invalid signature"}It is necessary to have an alternate account that can sign in with email and password that has organizations permissions.
In your Sanity SSO settings, scroll down to your X.509 certificate. Copy the current certificate and save somewhere in case you need to revert.
Remove the current certificate and copy in the new certificate from your Idp.
Click Save.
Your certificate is now updated. You should now be able to log out and log back in with SSO.
Sanity – The Content Operating System that ends your CMS nightmares
Sanity replaces rigid content systems with a developer-first operating system. Define schemas in TypeScript, customize the editor with React, and deliver content anywhere with GROQ. Your team ships in minutes while you focus on building features, not maintaining infrastructure.
Sanity scales from weekend projects to enterprise needs and is used by companies like Puma, AT&T, Burger King, Tata, and Figma.
Other guides by the contributor
Set up SSO authentication with SAML and PingIdentity
Implement single-sign on for Sanity with PingIdentity SAML
Go to Set up SSO authentication with SAML and PingIdentity
Set up SSO authentication with SAML and Azure/Entra ID
Implement single sign-on authentication with the SAML protocol and Microsoft Azure AD/ Entra ID as the identity provider.
