Connection

Identity provider

ACS URL generated

Choose the protocol your customer's identity provider expects.

Domains

Company login domains

Users with these email domains will be routed through SAML 2.0 after activation.

1 verified
northstar.examplenorthstar-analytics.example

Add verified company domains or start a DNS ownership check for pending domains.

Service provider values

ACS URL

https://app.example.com/sso/saml/acs/northstar

Service provider entity ID

urn:dom-studio:northstar

Metadata

IdP configuration

Paste signed IdP metadata. Store the certificate fingerprint and expiration on the server.

Provisioning

Group role mapping

Preview which IdP groups become admins, members, or reviewers before access is enforced.

1 needs review
Okta - Product adminsOkta - AnalystsOkta - Finance reviewers

Choose imported IdP groups to include in the initial rollout.

IdP group

Okta - Product admins

Workspace role

Workspace admin

42 usersSynced

IdP group

Okta - Analysts

Workspace role

Member + viewer seat

188 usersSynced

IdP group

Okta - Finance reviewers

Workspace role

Billing reviewer

19 usersReview

Rollout safety

Activation checklist

Keep recovery access and communication policy visible before you require SSO for all verified domains.

Keep at least two break-glass admins outside forced SSO until the first successful production login and support handoff are confirmed.
Send a preview email with the activation date, approved domains, recovery contact, and what changes at the next sign-in.
Allow fallback for a short migration window, then require SSO for verified company domains after the customer confirms adoption.

Test result

Waiting for test

Run a test with an admin account before activation.

SSO test passed

The test assertion matched this draft configuration. Keep activation server-owned and require a privileged admin action before enforcing login.

Matched claims

email, name, groups, certificate fingerprint, and recipient URL were accepted.

Recommended next step

Notify admins, preserve fallback access, then activate forced SSO for verified domains.