Set up single sign-on
Single sign-on settings live at https://lengrowth.com/settings/sso.
When to use this
The page heading is SSO Settings, and the page subtitle says Configure SAML or OIDC, map groups to roles, and validate the login flow.
The page is built around one company at a time. If there is no company selected, LenGrowth will ask you to pick one before you can continue.
The page provides four high-level actions in the header:
Reload
Test config
Initiate flow
Save changes
It also shows a provider summary card so you can see the currently stored identity state at a glance.
Use the SSO page when you want to:
Configure a new SAML or OIDC connection
Update the issuer, client, or metadata values for a provider
Restrict access to approved domains
Turn JIT provisioning on or off
Set the default role for new members
Link group membership to LenGrowth roles
Validate a configuration before rolling it out to your team
If you only need to provision users or reconcile memberships after SSO is already working, use https://lengrowth.com/settings/scim.
Step-by-step
Select the company you want to configure.
Wait for the current identity configuration to load.
Check the provider summary card before editing any fields.
The summary card is useful because it reflects the provider type, whether JIT provisioning is enabled, whether SCIM is enabled, the allowed domains, and the latest login or sync status if those values exist.
The Provider dropdown gives you two options:
OIDC
SAML
Choose the provider that matches your identity platform. LenGrowth stores one provider at a time per company, so make sure you are editing the right one before filling in the rest of the fields.
The Identity provider card includes the core connection fields.
Depending on the provider, you may need to supply:
Issuer
Metadata URL
Authorization URL
Token URL
Client ID
Client secret
SAML entity ID
SAML certificate
Allowed domains
Use these fields carefully. The page does not ask you to guess which values are needed. It gives you a place for each one so you can paste the values from your identity provider cleanly.
For Allowed domains, enter a comma-separated list such as example.com, team.example.com.
Below the core metadata fields, the page includes a few important controls:
JIT provisioning
Default role
Enable SCIM
JIT provisioning determines whether LenGrowth creates memberships automatically when a valid SSO session arrives. If you enable it, new people can land in the workspace with the default role you chose.
The Default role dropdown includes:
owner
admin
manager
contributor
specialist
viewer
guest
Choose the least privileged role that still fits your access model. If you are not sure which role should be the default, pause and confirm it with the workspace owner before saving.
The Enable SCIM switch turns on token-based provisioning and reconciliation endpoints. If you need automated lifecycle management, this is the toggle that connects SSO configuration to the SCIM page.
The Mapping rules card is where you define group mappings.
Open the mapping editor.
Add a mapping for each external group that should map into LenGrowth.
Choose the role that group should receive.
Add a short description if you want a human-readable reminder.
Save the configuration once the mappings are complete.
The page description is deliberate here: keep provider metadata separate from group-to-role mappings so you can rotate identity providers safely. That means you should treat mappings as policy, not as part of the raw connection values.
Once the fields are filled in, use Test config.
Review the provider, domains, and mappings.
Click Test config.
Wait for the success or failure message.
Fix any missing or incorrect value before saving.
The test button is the fastest way to catch a typo before the identity setup reaches users. If the test passes, the page shows a success message that the configuration looks healthy.
The Initiate flow button opens a provider-specific login flow for the current provider.
Confirm the provider selection.
Click Initiate flow.
Watch for a new browser tab or window.
Complete the provider-side login or consent flow.
This is useful when you want to verify the live experience instead of only testing the saved fields. It is also a good final check before you share the setup with your team.
Review all fields one last time.
Make sure allowed domains are correct.
Confirm that JIT provisioning and SCIM are set the way you want.
Check the group mappings.
Click Save changes.
The save action stores the current provider settings for that company. The page then updates the summary card so you can confirm the saved state.
After a successful save, LenGrowth keeps the provider summary in sync with the latest configuration. You should expect:
The summary card to reflect the saved provider and provisioning state
The company’s identity flow to use the updated values
Group mappings to influence how new users are assigned roles
The SSO page to remain the main place for provider metadata and testing
If you enabled SCIM here, use https://lengrowth.com/settings/scim to manage the provisioning tokens and sync status separately.
SSO is company-specific. Select the right company before editing the provider.
Pick the provider that matches your identity platform. The page only supports one provider at a time per company.
Recheck the issuer, URLs, client information, certificate, and allowed domains. A typo in any one of those values can stop the test from passing.
Make sure your browser allows new tabs or windows. The flow opens in a separate window when the provider returns an authorization URL.
That means provisioning is not enabled for this company yet. Turn on the Enable SCIM switch if you intend to use the SCIM page.
Common problems
If something does not look right, confirm you are using the correct account, page, and permission level.
Related articles