This guide outlines how enterprise customers can set up Single Sign-On (SSO), configure billing and permissions, and onboard teams to Magical. It is intended for IT administrators, billing administrators, and workspace admins responsible for rollout and ongoing management.
1. Single Sign-On (SSO) Setup
Overview
Magical uses WorkOS to support enterprise SSO. Once SSO is configured, users signing up with an approved company domain automatically authenticate using the organization’s identity provider.
SSO Configuration
• A Magical organization is created in WorkOS.
• The IT administrator receives a secure setup link.
• Using this link, the IT administrator connects the company’s identity provider (e.g., Okta, Azure AD, Google Workspace).
Testing the Connection
After configuration, the IT administrator should test SSO directly within Magical to confirm successful authentication.
SSO Sign-In Link
Organizations may share the following link internally for users signing in with SSO:
⸻
2. Domain Configuration
Primary Domain
• The primary company domain is associated with the Magical workspace.
• Users who sign up using this domain authenticate automatically via SSO.
Additional Domains
Organizations with multiple email domains may request additional domains to be approved. Options include:
• Whitelisting additional domains for SSO access
• Merging existing workspaces associated with other domains into the primary workspace
If users already exist under another domain, those workspaces can be merged. If not, a user from the additional domain may need to create an account and workspace before consolidation. Approved domains are then included in SSO authentication.
⸻
3. Billing Admins & Permissions
Billing Admin Role
Billing admins have high-level workspace permissions, including the ability to:
Assign and remove paid seats
View total available and used seats
Manage user permissions
Change users between paid and expired seats
Add/remove other Billing Admins
Seat assignment is handled manually; bulk user uploads are not currently supported.
⸻
4. End-User Onboarding Flow
Recommended Rollout
Organizations typically notify employees internally and provide instructions to install the Magical browser extension.
Step 1: Install the Magical Extension
Users install the Magical browser extension using the provided link. After installation, they are prompted to create an account.
Step 2: Create an Account & Authenticate
Users create an account using their company email.
If SSO is enabled, authentication occurs automatically via the organization’s identity provider.
Step 3: Join the Company Workspace
After account creation, users are prompted to join their company workspace:
A join prompt appears on the left side of the app.
Selecting the prompt and confirming displays the company logo, indicating successful workspace membership.
Step 4: Access Team Content
Once in the workspace, users can:
View shared team folders
Access synced templates and shortcuts
Use approved team content immediately
⸻
5. Seat Assignment & Trials
Trial Access
• New users who join a workspace are automatically placed on a two-week paid-seat trial.
• During the trial period, users have full access to paid features.
Assigning Paid Seats
To retain paid access after the trial:
1. Billing admins navigate to Workspace Settings → Members
2. The user is assigned to a paid seat
Users who are not upgraded after the trial period move to an expired seat with reduced access.
⸻
6. Team Folders & Content Management
Team Folder Admin Role
Team folder admins can:
• Create and manage team folders
• Add, edit, and organize shared templates
• Control which content is synced across the team
Team Folder Behavior
• Any user can join a team folder.
• Only admins can edit or manage folder content.
• Templates within team folders are synced automatically to all members.
• Users may copy templates to their personal home; copied templates are no longer synced.
How to share templates to a team
⸻
7. Enterprise Admin Checklist
Before rolling out Magical to the organization, administrators typically confirm:
• SSO connection is configured and tested
• All required domains are approved
• Billing admins are identified
• Team folder admins are assigned
• Initial team folders and templates are created
• Internal rollout messaging is prepared
⸻
8. Common Questions
Do users have to use SSO?
Users signing up with an approved company domain authenticate via SSO automatically.
Can users exist without a paid seat?
Yes. Users may join the workspace but must be assigned a paid seat to retain full access after the trial period.
Is bulk user provisioning supported?
Bulk user uploads are not currently supported. Users create accounts individually and are permissioned by a billing admin.