Freepik Enterprise – SAML 2.0 Single Sign-On (SSO) Integration Guide
1. Overview
Freepik Enterprise supports Security Assertion Markup Language (SAML) 2.0 Single Sign-On (SSO). This lets your employees use their corporate Identity Provider (IdP) credentials to access Freepik securely—no separate passwords required.
Important: SSO is configured by Freepik Tech team on your behalf.
2. How It Works
- The user initiates sign-in from either the Freepik login page (SP-initiated) or your IdP portal (IdP-initiated).
- Your IdP returns a signed SAML Response to Freepik's Assertion Consumer Service (ACS) URL.
- Freepik validates the signature, maps attributes, and provisions or updates the user (Just-In-Time).
- The user is redirected to Freepik with an active session.
3. Prerequisites
- An active Freepik Enterprise subscription.
- An IdP capable of acting as a SAML 2.0 Identity Provider (Azure AD, Okta, ADFS, Google Workspace, PingOne, etc.).
- Ability to supply all of the following items to Freepik:
- X.509 SAML signing certificate (Base-64 PEM or CER file).
- Entity ID (IdP issuer / identifier).
- SSO Login URL (IdP SAML endpoint).
- Company Domain.
4. What Freepik Provides
| Parameter | Value | Notes |
|---|---|---|
| Assertion Consumer Service (ACS) URL | https://id.freepik.com/api/v2/login/saml?client_id=freepik&provider_id=entity_id | Replace entity_id with given provider . |
| Service Provider Entity ID | entity_id | Constant across all tenants. |
| NameID format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | E‑mail must be unique within Freepik. |
| Bindings | HTTP‑Redirect (AuthnRequest) / HTTP‑POST (Response) |
5. Attribute Mapping
| Attribute in Assertion | Required | Example |
|---|---|---|
| email / mail | Yes | alice@example.com |
| givenName / first_name | Yes | Alice |
| surname / last_name | Yes | Doe |
Attributes other than those listed are ignored.
6. High‑Level Flow
- User clicks Log in with SSO at Freepik (SP‑initiated) or launches the Freepik app from your IdP portal (IdP‑initiated).
- IdP issues a signed SAML Response to the Freepik ACS URL.
- Freepik validates the signature with the certificate you supplied, extracts the user’s attributes, and creates or updates the account.
- User is redirected to Freepik with an active session.
7. Step‑by‑Step Setup
Step 1 – Freepik will send SAML info
We generate your entity id in our system (entity_id)
| IdP Field | Value |
|---|---|
| Identifier (Entity ID) | entity_id |
| Reply URL (ACS) | https://id.freepik.com/api/v2/login/saml?client_id=freepik&provider_id=entity_id |
| Sign‑on URL | https://id.freepik.com/log-in?client_id=freepik |
| Logout URL (optional) | Should be given by the client |
Step 2 – Register Freepik in Your IdP
| IdP Field | Value |
|---|---|
| Identifier (Entity ID) | https://id.freepik.com/sp |
| Reply URL (ACS) | https://id.freepik.com/api/v2/login/saml?client_id=freepik&provider_id=entity_id |
| Sign‑on URL | https://id.freepik.com/log-in?client_id=freepik |
| Logout URL (optional) | Should be given by the client |
Step 3 – Send the Onboarding Form to Freepik
Email your Freepik Account Manager with the subject New SAML SSO – Your Company and attach:
| File / Value | Format |
|---|---|
| Signing certificate | .cer or .pem |
| Entity ID | Text |
| SSO Login URL | HTTPS |
| Xml metadata | Url or xml file to SAML metadata file |
Step 4 – Optional Sandbox Test
If you wish to validate against a dedicated staging tenant, request a sandbox in the same e‑mail. Provide a list of test e‑mail domains or user accounts.
Step 5 – Go‑Live
On the agreed date Freepik activates SSO‑only mode for your tenant. Users go to https://fp.0xu.xyz, choose 'Continue with your work mail - SSO login', and authenticate via your IdP.
8. Certificate Rotation
Notify Freepik at least 5 calendar days before the current certificate expires. Send the new certificate and, if required, a date/time for simultaneous rollover.
Can't find an answer to your question?