Taxi for Email is committed to the security and protection of our users, SSO allows users to securely access Taxi without having to use another set of credentials.

Taxi for Email uses the XML-based Security Assertion Markup Language (SAML) protocol for SSO. Our SSO configuration will work with all identity providers (IdP) that support the SAML 2.0 protocol, including Google, Okta, OneLogin, Microsoft Azure, Shibboleth etc.

Getting Started

Enabling SSO for your account is easy using our self-service workflow!

To get started, your Taxi Org Owner must navigate to the Security Tab and select SSO Setup.

Once you've navigated to the security page, select Start Configuration to begin the SSO process

To set up a SAML connection, the following information needs to be shared between Taxi and your IdP. Use the copy function to copy the credentials we provide you into your IdP.

It's important to note that you may encounter some issues when setting up SSO in this second step. Here are some tips to avoid common mistakes:

When adding the Identity Provider Single Sign-On URL, make sure that the URL provided is correct. Different identity providers may give different names for the URL so double-check that the URL provided is the correct one. The Identity Provider Single Sign-On URL should look like this: https://login.microsoftonline.com/********-****-****-****-************/saml2.

However, please note that this URL may vary depending on their identity provider.

The x509 certificate must be provided in the correct format. If it's taken from the metadata, make sure that it's converted to the correct format. To convert the x509 certificate, follow this guide: https://brianchildress.co/convert-x509-certificate-from-metadata.

The second step of the configuration can be successful even if some of the details provided are not the correct ones; make sure to confirm by testing the connection.

The process of adding the configuration details may vary depending on the IdP you are using. Please refer to your IdPs guidance for further support.

Copy and paste your Single Sign-on URL and Signing certificate into the text boxes provided.

Once you have shared both sets of credentials between Taxi and your IdP, you can test the connection before you enable SSO on your account. A test connection can only be conducted when all data has been shared.

Testing the connection should open a new window where you will be redirected to your IdP to log into Taxi. If you cannot connect, please refer to the setup to check that all the information has been inputted correctly.

Please also ensure that when testing the connection, you have also assigned the Taxi application to your profile in your IdP.

Once the test connection is successful, you can enable SSO on your account.

Accessing your Taxi account once SSO is enabled

By default, we still allow users to sign into Taxi using their existing username and password. We support this workflow to enable those not part of your organisation (agencies/contractors) to access their Taxi account when SSO is enabled.

Enrolled users from outside organisation will now need to log in via https://my.emailcms.net/login. Accessing Taxi via your domain (e.g. https://companyname.emailcms.net/login) will always redirect the user to your organisation's IdP.

If this is not needed for your organisation, you can update your SSO settings from the Security section of your Taxi account. You will need to complete the initial set-up of SSO before you can update the access settings.

Once enabled, we will end all active sessions within Taxi account and ask users to sign into their account using SSO.

Adding users to Taxi

With both options, you can continue to add users via the Taxi UI, either individually or with the bulk upload option. When users log in, they will go through the Identity Provider page.

Make sure that new users have been added to teams or have the relevant permissions first to have all the correct access when logging in.

Make sure that new users have been added to teams or have the relevant permissions first so that they have all the correct access when they first log in.