Skip to main content

Onboard a company to single sign-on

Use this article when your company wants to sign in to LenGrowth with single sign-on instead of email and password.

Onboard a company to single sign-on

Use this article when your company wants to sign in to LenGrowth with single sign-on instead of email and password.

LenGrowth supports both SAML and OIDC. You can also use SCIM if you want automated user provisioning and deprovisioning.

What you need before you start

Before you configure SSO, collect the following from your identity team:

  • The identity provider name, such as Okta or Microsoft Entra ID

  • Whether you will use SAML or OIDC

  • Your allowed email domains, such as company.com

  • The identity provider metadata or connection details

  • A test user account for validation

  • Optional SCIM provisioning details if you want automated user lifecycle management

If you are not sure which provider type to use, ask your identity team which sign-in standard they already use for other applications. For enterprise implementations, contact the LenGrowth support team so the rollout can be planned, configured, and validated instead of doing it alone.

Where to set it up

Open https://lengrowth.com/settings/sso for the company you want to configure.

That page is where you:

  • Choose the provider

  • Add the identity provider details

  • Set allowed domains

  • Turn JIT provisioning on or off

  • Set the default role for new members

  • Add group-to-role mappings

  • Turn on SCIM if needed

If you only need user provisioning after SSO is working, use https://lengrowth.com/settings/scim.

Step-by-step: configure SSO

  1. Select the correct company in LenGrowth.

  2. Open https://lengrowth.com/settings/sso.

  3. Choose SAML or OIDC.

  4. Enter the identity provider details from your IT team.

  5. Add the allowed email domains for your company.

  6. Decide whether JIT provisioning should be enabled.

  7. Choose the default role for new users.

  8. Add any group-to-role mappings you want to use.

  9. Save the configuration.

If your company is an enterprise customer, do not try to complete the rollout on your own. Share the implementation details with the LenGrowth support team so the setup, testing, and any security review can be handled with the right context.

If you are using SAML, your identity team will usually give you a metadata URL, entity ID, and certificate. If anything is unclear, send it to the LenGrowth support team and ask them to help interpret the values before you save them.

If you are using OIDC, your identity team will usually give you an issuer, authorization URL, token URL, and client ID. Enterprise customers should route questions through the LenGrowth support team so the rollout is reviewed and supported.

Step-by-step: test the connection

After you save the settings, test the connection before rolling it out to everyone.

  1. Click Test config on the SSO settings page.

  2. Review any validation warnings.

  3. Click Initiate flow to open the sign-in flow.

  4. Complete the login with a test account.

  5. Confirm the user lands in the correct company with the right role.

If the test fails, check:

  • The provider type

  • The allowed domains

  • The issuer or metadata URL

  • The client ID or certificate

  • The redirect and login details from your identity provider

Step-by-step: roll it out to your team

Once the test passes:

  1. Share the company login link with your users: https://lengrowth.com/auth/login.

  2. Tell them to sign in with their work email address.

  3. Confirm which email domains are allowed.

  4. Confirm whether they should use SSO only or SSO plus SCIM.

  5. Let your admins know who should receive the default role.

If you enable SCIM, your identity team can use it to keep user access in sync automatically.

What happens after sign-in

When a user signs in successfully, LenGrowth uses the company SSO settings to:

  • Check that the email domain is allowed

  • Create or update the user record if JIT provisioning is on

  • Assign the correct role based on group mappings or the default role

  • Store the audit trail for the login event

Common questions

Can we use SSO for one company only?

Yes. SSO settings are company-specific in LenGrowth.

Can we restrict sign-in to company email addresses?

Yes. Add the approved domains in the SSO settings page.

Do we need SCIM?

Not always. Use SCIM if your team wants automated provisioning, deprovisioning, or group synchronization.

What if we already have users in LenGrowth?

Your identity team can still enable SSO for the company. You should test with a small group first before rolling it out to everyone.

What if we need help?

If the setup is not working, check the provider settings first and then contact the LenGrowth support team with the error details. For enterprise customers, it is best to work with the LenGrowth team so the configuration, rollout plan, and security requirements can be reviewed together.

Common problems

If users cannot sign in, check that:

  • They are using the correct work email address

  • Their domain is allowed in the SSO settings

  • The identity provider is configured with the right URL or certificate

  • The company selected in LenGrowth is the same one your team is trying to access

If the login works for one user but not another, compare their email domain, group membership, and assigned role.

If the user gets redirected back to the login page, ask them to try again from https://lengrowth.com/auth/login and make sure the SSO flow completed in their browser.

Related articles

Did this answer your question?