Enterprise SSO
Connect your identity provider to ChangeVault so your team signs in with their company credentials.
Enterprise SSO lets your organization authenticate via your own identity provider (IdP) using SAML 2.0. Users with a matching email domain are automatically routed to your IdP at sign-in — no individual invites required.
Enterprise SSO requires the Enterprise plan. Group → role mapping is included.
Supported identity providers
| Provider | Protocol | Notes |
|---|---|---|
| Microsoft Entra ID (Azure AD) | SAML 2.0 | Supports group claims for role mapping |
| Google Workspace | SAML 2.0 | Supports group attribute mapping |
| Okta | SAML 2.0 | Supports group attribute statements |
| Generic SAML 2.0 | SAML 2.0 | Any standards-compliant IdP |
Setting up SSO
1. Open the SSO panel
- Sign in as an Admin on the Enterprise plan
- Go to Settings in the sidebar
- Scroll to the Single Sign-On (SSO) section
- Click Add connection
2. Choose your identity provider
Select your IdP from the provider picker. ChangeVault pre-fills sensible defaults for attribute mappings.
3. Enter basic details
| Field | Description |
|---|---|
| Connection name | A label for this connection (e.g. Contoso SSO) |
| Email domain | Users with this domain are routed to this IdP (e.g. contoso.com) |
4. Configure the IdP connection
Option A — Metadata URL (recommended)
Paste your IdP's federation metadata URL. ChangeVault fetches the certificate and endpoints automatically.
Option B — Manual
Enter the IdP Entity ID, SSO URL and X.509 certificate (PEM format) individually.
5. Configure ChangeVault as a Service Provider in your IdP
After creating the connection, ChangeVault shows two values to copy into your IdP:
| Value | Description |
|---|---|
| ACS URL (Reply URL) | Where your IdP sends the SAML assertion |
| SP Entity ID (Audience URI) | Identifies ChangeVault to your IdP |
Provider-specific instructions
Microsoft Entra ID
- In the Azure Portal → Entra ID → Enterprise applications → New application
- Choose Create your own application → Non-gallery → name it
ChangeVault→ Create - Go to Single sign-on → SAML
- Under Basic SAML Configuration:
- Identifier (Entity ID): paste the SP Entity ID from ChangeVault
- Reply URL (ACS URL): paste the ACS URL from ChangeVault
- Under SAML Signing Certificate, copy the App Federation Metadata URL and paste it as the Metadata URL in ChangeVault
- Under Users and groups, assign users or groups to the application
- To send group membership claims for role mapping: go to Token configuration → Add groups claim → select Security groups
Google Workspace
- In the Google Admin Console → Apps → Web and mobile apps → Add app → Add custom SAML app
- Download the IdP metadata or copy the SSO URL and certificate
- Set the ACS URL and Entity ID from ChangeVault
- Add attribute mappings:
email,firstName,lastName - Assign users or organizational units to the app
Okta
- In Okta → Applications → Create App Integration → SAML 2.0
- Set the Single sign-on URL (ACS URL) and Audience URI (SP Entity ID) from ChangeVault
- Add attribute statements for
email,firstName,lastName - Add a Group Attribute Statement named
groups(regex:.*) for role mapping - Copy the Identity Provider metadata URL from the Sign On tab and paste it in ChangeVault
Group → role mapping
You can automatically assign ChangeVault roles based on the IdP group a user belongs to.
How it works
When a user signs in via SSO for the first time (or rejoins the organization), ChangeVault reads the SAML attribute containing their groups and assigns the matching role. If no mapping matches, the user keeps the default Member role.
Configuring mappings
-
In Settings → SSO, expand a connection and click Group → Role mappings
-
Set the Group attribute name — the SAML attribute your IdP sends group data in:
Provider Typical attribute name Entra ID http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsGoogle Workspace groupsOkta groups -
Add mapping rows:
Group value ChangeVault role IT-AdminsAdmin IT-StaffMember IT-ViewersReader -
For Entra ID, group values can be the group's display name or its Object ID (GUID) depending on how you configured the token claims.
Mappings are evaluated in the order shown. The first match wins.
Sign-in flow
Once SSO is configured and active:
- A user visits
https://app.changevault.dev/sign-in - They type their email address (e.g.
alice@contoso.com) and click Continue - ChangeVault detects the
contoso.comdomain and redirects to your IdP - The user authenticates with their company credentials
- The IdP redirects back to ChangeVault with a SAML assertion
- ChangeVault creates or updates the user's account and applies any group → role mappings
- The user lands in the dashboard
Users must enter their email address in the email field — clicking a social login button (Google, Microsoft) does not trigger SAML SSO.
Managing connections
| Action | Where |
|---|---|
| View connection status and SP details | Settings → SSO → expand a connection |
| Update group → role mappings | Settings → SSO → Group → Role mappings |
| Remove a connection | Settings → SSO → expand → Remove |
Removing a connection does not delete existing user accounts — it only prevents future SSO sign-ins via that connection.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Nothing happens after entering email | SSO connection is disabled | Activate the connection in the SSO panel |
400 Bad Request from IdP | ACS URL or Entity ID mismatch | Check both values are copied exactly |
| User lands on wrong page after sign-in | Clerk paths not configured | Ensure Sign-in / Sign-up paths in your Clerk instance point to the app URL |
| Group mappings not applied | Attribute name doesn't match | Check the attribute name in your IdP's token/claim configuration |
| Certificate error | Expired or wrong certificate | Re-fetch the metadata URL or re-enter the certificate |