What is Single Sign-On (SSO)?

Single Sign-On (SSO)

Leadline gives you the ability to implement mandatory Single Sign-On (SSO) for your organization, providing a secure and streamlined authentication experience for your team.

We support both SAML 2.0 and OpenID Connect (OIDC) protocols.

How does it work?

When Single Sign-On is enabled, members of your organization must authenticate through your Identity Provider (IdP) to access Leadline. This ensures that all access to your organization's data and resources is centrally managed and secured through your existing identity infrastructure.

We use email addresses to identify SSO users. As a user, make sure that your organizational email address (e.g. your company email) has been added to your Leadline account settings.

When users attempt to log in, they will be prompted to complete the Single Sign-On authentication flow. Instead of using a traditional username and password, they'll be redirected to your organization's Identity Provider to authenticate.

Single Sign-On only applies to your organization. Members may have personal Leadline accounts or belong to other organizations outside of the SSO flow.

Supported Identity Providers

Leadline can integrate with a variety of Identity Providers, including:

• Okta
• Microsoft Entra ID (formerly Azure AD)
• Google Workspace
• OneLogin
• Auth0
• Any OIDC-compliant or SAML 2.0 compliant Identity Provider

Leadline works with any standards-compliant Identity Provider, giving you the flexibility to use the identity solution that best fits your organization.

Benefits of SSO

Enhanced Security

Single Sign-On provides several security advantages:

• Centralized access control: Manage all user access from one location
• Reduced password fatigue: Users maintain fewer passwords, reducing the risk of weak or reused credentials
• Instant deprovisioning: When an employee leaves your organization, disabling their IdP account immediately revokes Leadline access
• Multi-factor authentication: Leverage your IdP's MFA capabilities for additional security

Improved User Experience

SSO creates a seamless experience for your team:

• One-click access: Users authenticate once and gain access to all connected applications
• Faster onboarding: New team members can access Leadline immediately using their existing company credentials
• Reduced IT overhead: Fewer password reset requests and account management tasks

Compliance and Auditing

Meet regulatory requirements more easily:

• Audit trails: Track authentication events and access patterns
• Compliance support: Satisfy requirements for standards like SOC 2, HIPAA, and GDPR
• Centralized policy enforcement: Apply consistent security policies across all applications

User Access and Session Expiration

Due to the limitations of SAML and OIDC, Leadline does not receive a real-time notification when a user's access is revoked in your Identity Provider (IdP). If a user's Leadline session is still active when you disable them in your IdP, they remain signed in until their session expires.

When their session expires and they attempt to sign in again through SSO, Leadline checks their status with your IdP. If their IdP access has been revoked, they will no longer be able to sign in.

To remove access immediately, you can disable or delete the user in your IdP and optionally remove their account from your organization in Leadline's admin hub.

When SCIM provisioning is enabled, deprovisioning a user in your IdP immediately revokes their access to Leadline and logs them out, without waiting for their session to expire.

Role Mapping

We support basic role mapping that is configured manually during the SSO setup process.

Matching Email Domains

When enabled, Matching email domains are used to control Just-in-Time (JIT) provisioning. Leadline will only create new user accounts via JIT if the email address returned in the IdP assertion matches one of the verified email domains for your organization.

Existing users can continue to sign in with SSO even if their email uses a different or personal domain, as long as the email in Leadline matches the email returned by your Identity Provider.

This adds an additional layer of security by ensuring that only users with your organization's verified email domains are automatically provisioned into Leadline via SSO.

To add an email domain, you must navigate to the Branded Emails tab within the admin hub and add the domain to the verified domains list. 

Just-in-Time (JIT) Provisioning

Leadline supports Just-in-Time user provisioning, which automatically creates user accounts the first time someone authenticates via SSO. This eliminates the need to manually create accounts for each team member.

When a user successfully authenticates through your IdP:

1. Leadline checks if an account exists for that email address
2. If no account exists, one is automatically created
3. The user is assigned to your organization with the appropriate role based on your role mapping configuration
4. The user gains immediate access to Leadline

Token Expiration

SSO sessions are managed using secure tokens that expire based on your configured session timeout. Users must re-authenticate when their session expires.

Account Linking

Users who have existing Leadline accounts with their organizational email address will have their accounts automatically linked when SSO is enabled. They will then be required to use SSO for all future logins to access your organization.

How to Enable SSO

You must be a company administrator to have access to the admin hub and have purchased a Leadline Professional or Enterprise plan

1. Navigate to the Admin Hub > Users & Security
2. Click the "Enable SSO" Button
3. Select an Identity Provider
4. Follow the steps on the screen to connect (set-up instructions depend on whether you are trying to set up SSO through SAML or OIDC.