Single Sign-On (SSO) Setup

Availability: Enterprise tier. Coordinate with your security team before enabling.

What SSO does

• Uses your IdP (Okta, Azure AD, Google Workspace, etc.) for authentication.
• Lets you enforce MFA and session policies centrally.
• Keeps access logs aligned to your access control program.

Requirements

• Enterprise subscription and admin access in StartupVision.
• Admin rights in your IdP to create an app/integration.
• SAML 2.0 or OIDC client credentials.

SAML quickstart

1. In your IdP, create a new SAML app.
2. ACS/Callback URL: https://startupvision.ai/sso/callback
3. Entity ID/Audience: https://startupvision.ai/sso
4. Attributes: email (required), name (optional).
5. Download IdP metadata (XML) or note: Issuer, SSO URL, x509 cert.
6. In StartupVision (Enterprise admin), upload metadata or paste: Issuer, SSO URL, x509 cert. Save.
7. Test with a non-admin account before rolling out.

OIDC quickstart

1. In your IdP, register a confidential client.
2. Redirect URI: https://startupvision.ai/sso/oidc/callback
3. Scopes: openid email profile
4. Copy client ID and client secret.
5. In StartupVision (Enterprise admin), add issuer URL, client ID, and secret. Save.
6. Test with a non-admin account.

Best practices

• Require MFA in your IdP.
• Map groups/roles in your IdP and review periodically.
• Pair with Audit Logs for evidence; keep retention aligned to your policy.
• Disable local login for users after successful rollout (optional, by request).

Troubleshooting

• 403/unauthorized: confirm ACS/redirect URL matches exactly.
• Missing email claim: ensure IdP sends primary email attribute.
• Clock skew: verify IdP and StartupVision clocks via NTP.
• Still stuck? Contact support with request ID/time of failure.