SSO Setup
Configure single sign-on for your workspace
Overview
Single sign-on (SSO) lets your team members log into IdeaLift using your organization's existing identity provider. This eliminates the need for separate passwords, improves security, and simplifies user management.
IdeaLift uses Auth0 as its authentication platform, which means SSO configuration is reliable, standards-compliant, and compatible with all major identity providers.
Requirements
- ✓Growth plan or higher — SSO is available on Growth, Scale, and Enterprise plans
- ✓Verified domain — You must verify ownership of your email domain in workspace settings
- ✓Admin or Owner role — Only workspace Admins and Owners can configure SSO
- ✓Identity provider access — You need admin access to your IdP (Okta, Azure AD, Google Workspace, OneLogin, etc.)
On Starter or Pro? Upgrade to Growth to enable SSO for your workspace.
Setting Up SAML SSO
SAML 2.0 is the industry standard for enterprise SSO. Follow these steps to connect your identity provider.
Step 1: Open SSO settings in IdeaLift
- Go to Dashboard → Settings → Security
- Click "Configure SSO"
- Select "SAML 2.0" as the protocol
- Copy the Entity ID and ACS URL shown on the page
Step 2: Configure your identity provider
In your IdP admin panel, create a new SAML application and enter the following values:
urn:auth0:idealift:your-connection-namehttps://auth.idealift.app/login/callback?connection=your-connection-nameThe exact values are shown in your IdeaLift SSO settings page. Copy them from there to avoid typos.
Step 3: Map SAML attributes
Configure your IdP to send these attributes in the SAML assertion:
| Attribute | SAML Name | Required |
|---|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Yes | |
| First Name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Recommended |
| Last Name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Recommended |
Step 4: Upload IdP metadata to IdeaLift
- Download the metadata XML or certificate from your IdP
- Return to IdeaLift SSO settings
- Upload the metadata file or paste the Sign-In URL and X.509 certificate
- Click "Save Configuration"
Supported identity providers
Setting Up OAuth SSO
If your identity provider supports OAuth 2.0 / OpenID Connect (OIDC) instead of SAML, you can configure OAuth-based SSO.
Step 1: Create an OAuth application in your IdP
- In your IdP admin panel, create a new OAuth / OIDC application
- Set the application type to "Web Application"
- Set the redirect URI to the value shown in your IdeaLift SSO settings
Step 2: Enter credentials in IdeaLift
- Go to Dashboard → Settings → Security
- Select "OAuth / OIDC" as the SSO protocol
- Enter the Client ID, Client Secret, and Discovery URL (issuer URL)
- Click "Save Configuration"
Common discovery URLs
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configurationhttps://accounts.google.com/.well-known/openid-configurationhttps://{your-domain}.okta.com/.well-known/openid-configurationTesting SSO
After configuring SSO, test the connection before rolling it out to your team.
- Click the "Test Connection" button in your SSO settings
- You will be redirected to your identity provider's login page
- Log in with a test account from your organization
- If successful, you will be redirected back to IdeaLift with a confirmation message
- Verify that the user's name and email were correctly mapped
Tip: Test with a non-admin account first. If the test fails, you can still access IdeaLift with your existing login method to adjust the configuration.
Managing SSO Users
Once SSO is enabled, user management becomes streamlined through your identity provider.
Automatic provisioning
When a user logs in via SSO for the first time, their IdeaLift account is automatically created and added to your workspace with the Member role. No invitation needed.
Enforcing SSO-only login
On Scale and Enterprise plans, you can require all workspace members to log in exclusively via SSO. This disables email/password login for users in your domain. Go to Settings → Security → "Require SSO" to enable.
Deprovisioning
When you remove a user from your identity provider, they can no longer log in via SSO. For immediate access removal, also remove them from the workspace in IdeaLift, or use SCIM provisioning (Enterprise plan) for automatic deprovisioning.
Troubleshooting
Users see "Invalid SSO configuration" when logging in
Verify that your Entity ID and ACS URL are entered correctly in your identity provider. The ACS URL must match exactly, including the trailing path.
SAML assertion errors after setup
Check that your IdP is sending the required attributes (email, firstName, lastName) in the correct format. The email attribute must match a verified domain in your workspace.
Users are created but not assigned to the correct workspace
Ensure that the email domain in your SSO configuration matches the domain of the users logging in. SSO users are automatically assigned to the workspace that owns the verified domain.
OAuth SSO redirects to a blank page
Double-check the redirect URI in your OAuth provider matches the one shown in IdeaLift settings. Clear your browser cache and try again.
Can I use both SAML and OAuth SSO at the same time?
Yes. You can configure both protocols simultaneously. Users will see options for both on the login page. Most organizations choose one for consistency.
Related Documentation
Need Help?
Need assistance configuring SSO for your organization?