SSO Setup (Enterprise)
Configure Single Sign-On with SAML for your organization. Enterprise plan feature.
Single Sign-On (SSO) allows your team to access DealView using your organization's identity provider.
SSO is available on Enterprise and Portfolio plans. Contact sales to upgrade.
Supported Providers
DealView supports SAML 2.0 SSO with:
- Okta
- Azure Active Directory
- Google Workspace
- OneLogin
- Ping Identity
- Any SAML 2.0 compliant provider
Before You Begin
You'll need:
- Admin access to your identity provider
- Admin access to your DealView workspace
- Your identity provider's SAML metadata
Configuration Steps
Step 1: Get DealView SAML Details
- Go to Settings → Security → SSO
- Click Configure SSO
- Note the following values:
- ACS URL (Assertion Consumer Service)
- Entity ID
- Start URL
Step 2: Configure Your Identity Provider
In your IdP (example for Okta):
- Create a new SAML application
- Enter DealView's ACS URL
- Enter DealView's Entity ID
- Configure attribute mappings:
email→ User's email addressfirstName→ User's first namelastName→ User's last name
- Save and activate the application
Step 3: Complete DealView Setup
- Return to DealView SSO settings
- Enter your IdP's metadata URL or upload XML
- Click Test Connection
- If successful, click Enable SSO
Attribute Mapping
Required attributes:
| Attribute | Description | Required |
|---|---|---|
email | User's email address | Yes |
firstName | First name | Recommended |
lastName | Last name | Recommended |
Optional attributes:
department- For team assignmentrole- For automatic role assignment
User Provisioning
Just-In-Time (JIT) Provisioning
New users are created automatically on first SSO login:
- Account created with default Member role
- Assigned to default workspace
- Admin can adjust permissions after
SCIM Provisioning (Enterprise+)
For automated user management:
- User creation/deactivation syncs from IdP
- Group memberships map to DealView roles
- Contact support to enable SCIM
Testing SSO
Before enforcing SSO:
- Test with a pilot group
- Verify login works correctly
- Check role assignments
- Confirm logout behavior
- Test on mobile devices
Always maintain at least one local admin account in case SSO has issues.
Enforcing SSO
Once tested, enforce SSO-only access:
- Go to Settings → Security → SSO
- Enable Require SSO for all users
- Choose grace period for transition
- Communicate to your team
After enforcement:
- Password login is disabled
- Users must authenticate via SSO
- Admin bypass remains available
Troubleshooting
Login fails with "Invalid SAML Response"
- Verify ACS URL is correct in your IdP
- Check clock synchronization (SAML is time-sensitive)
- Ensure certificate hasn't expired
User not created after SSO login
- Verify email attribute is mapped correctly
- Check that email domain matches allowed domains
- Review IdP attribute statements
"User already exists" error
- User may have created account before SSO
- Link existing account via Settings → Profile
- Or contact support to merge accounts
IdP-Specific Guides
Okta
- Create SAML 2.0 app
- Use "Custom" app template
- Configure ACS URL and Entity ID
- Assign users/groups
Azure AD
- Create Enterprise Application
- Select "SAML" for SSO method
- Configure Basic SAML Settings
- Download Federation Metadata XML
Google Workspace
- Admin Console → Apps → SAML Apps
- Add custom SAML app
- Enter DealView details
- Configure attribute mapping
Disabling SSO
To revert to password authentication:
- Go to Settings → Security → SSO
- Click Disable SSO
- Users can now set passwords via reset flow
Disabling SSO requires users to reset their passwords. Plan communication accordingly.