When you set up a SAML connection in elvex, your identity provider (IdP) can only be used for sign-in and automatic user provisioning once elvex knows which email domains belong to your organization. Domain verification solves this by proving that your company owns the domain — for example, acme.com — so that only people with matching email addresses can sign in through your IdP and be auto-provisioned into your workspace.
You might need to verify a domain when:
You've just set up a SAML connection and want to enable SSO for your organization
Your company uses multiple email domains and you want to cover all of them
You want to enable just-in-time provisioning so new employees are automatically added to elvex when they first sign in
Once a domain is verified, users entering an @acme.com address on the elvex login page will be automatically redirected to your IdP for authentication, and new users will have their accounts created automatically with the role you've configured.
Before you begin
You must have the Company Admin role in elvex
Your SAML connection must already be set up — see Configuring enterprise single sign-on (SSO) or SAML
You need access to your domain's DNS settings
Step 1: Add the domain in elvex
Go to Settings > SAML
Under Domains, click Add domain
Enter the domain (e.g.
acme.com) and click Add
The domain will appear in the list with a status of Pending.
Step 2: Add the DNS TXT record
elvex will display a TXT record that you need to publish at your DNS provider. This record is how elvex confirms your organization controls the domain.
Field | Value |
Type |
|
Name / Host |
|
Value |
|
TTL | Default (or |
Copy the values exactly as shown in elvex, then add the record at your DNS provider and save the change.
Note: DNS changes can take anywhere from a few minutes to several hours to propagate across the internet. You can check propagation status using dig TXT _elvex-verification.acme.com or a tool like dnschecker.org.
Step 3: Verify the domain in elvex
Return to Settings > SAML
Find the pending domain and click Verify
elvex performs a live DNS lookup. If the TXT record is found and matches, the domain status changes to Verified.
Troubleshooting failed verification
If verification fails, the most common causes are:
The record hasn't propagated yet — DNS changes can take time. Wait a few minutes and try again
The host name is incorrect — It must start with
_elvex-verification.followed by your domainThe value is missing the prefix — The value field must begin with
elvex-site-verification=
Check your DNS provider's settings to confirm the record was saved correctly, then click Verify again once propagation has had time to complete.
What happens after verification
Once a domain is verified, elvex will:
Link the domain to your SAML connection
Enable home-realm discovery, so users entering a matching email address on the elvex login page are automatically redirected to your IdP
Enable just-in-time provisioning — when someone with a verified domain email address signs in via your IdP for the first time, elvex automatically creates their account with the role you configured (or a role mapped from a SAML attribute group)
Important: Users whose email domain is not verified will be blocked from signing in via SAML.
Removing a domain
To stop accepting SAML logins from a domain, find it in the domain list and click Remove. Existing users who were provisioned through that domain will keep their accounts, but no new logins or auto-provisioning will occur from that domain going forward.