ContextDx
New: architecture for every role
Docs
Pricing
Blog
Boards
Getting StartedCore ConceptsPlatform FeaturesRole-Specific GuidesReference & ResourcesSelf-HostedSources

Reference & Resources

Integrations ReferenceOrganization SettingsBoards APIEnterprise SSOPermissions & Access Control
Reference & Resources
Integrations ReferenceOrganization SettingsBoards APIEnterprise SSOPermissions & Access Control
Reference & ResourcesEnterprise SSO

Last updated July 5, 2026

Enterprise SSO

Single sign-on lets your team reach ContextDx through the identity provider you already run — Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, or any provider that speaks SAML 2.0 or OpenID Connect (OIDC). Members sign in with the credentials they use everywhere else, and you decide who gets in from your IdP instead of managing a second set of passwords.

You'll set this up in about 15 minutes, and it comes down to four steps:

  1. Create an application in your identity provider
  2. Connect it in Settings → SSO configuration
  3. Verify your email domain with a DNS record
  4. Test the login — then, when you're ready, require SSO for everyone
Note

Enterprise SSO is an organization admin task, and it's available on the Team plan (5 or more editors) and on Enterprise. If you don't see the SSO configuration panel, check your plan or ask your workspace owner. If your plan changes to one without SSO, your configuration is preserved and resumes automatically when you upgrade again.

Before you start

The SSO configuration panel shows a small set of Service Provider (SP) values — an ACS URL, an audience URI, and a redirect URI — that you paste into your IdP. These are generated for your organization, so always copy them from the panel rather than from this page. Keep that panel open in one tab and your IdP admin console in another.

Step 1 — Create the app in your IdP

The shape is the same for every provider: create an app, point it at the SP values from the panel, and have it send us three attributes — email, given_name, and family_name. Okta is shown here; the callouts note where other providers differ.

SAML is the recommended path for Okta.

  1. In the Okta Admin console, go to Applications → Applications → Create App Integration and choose SAML 2.0.

  2. Give it a name (e.g. "ContextDx") and continue to Configure SAML:

    • Single sign-on URL — the ACS URL from the SSO configuration panel (an https://…/saml2/idpresponse address).
    • Audience URI (SP Entity ID) — the Audience URI from the panel (a urn:amazon:cognito:sp:… value).
    • Name ID format — EmailAddress. Application username — Email.
  3. Add three Attribute Statements (format Basic):

    NameValue
    emailuser.email
    given_nameuser.firstName
    family_nameuser.lastName
  4. Finish the wizard, then open the app's Sign On tab and copy the Metadata URL.

  5. On the Assignments tab, assign the people or groups who should be able to sign in.

Tip

Assign yourself to the app first. You'll want a working test account before you turn on enforcement in Step 4.

Step 2 — Connect it in the portal

Open Settings → SSO configuration in the portal and fill in the connection:

  1. Choose SAML 2.0 or OpenID Connect to match the app you created.
  2. Pick an SSO login slug. Your members will sign in at portal.contextdx.com/login/sso/<slug>, so choose something short and recognizable — your company name usually works.
  3. Provide the IdP details:
    • SAML — paste the metadata URL, or switch to XML and paste the metadata document directly.
    • OIDC — enter the issuer URL, client ID, and client secret.
  4. Click Test Connection to confirm we can reach your IdP, then Save SSO Configuration.
Important

Your OIDC client secret is sent straight to the identity broker and stored only there — it never touches the ContextDx database, and it's never shown again. When you edit the connection later, leave the secret field blank to keep the existing one, or enter a new value to replace it.

Step 3 — Verify your email domain

Verifying a domain is what lets a member simply type their work email on the login page and get routed to your IdP automatically — no slug to remember. It's also the anchor for requiring SSO in the next step.

  1. In the Verified Email Domains panel, add your domain (e.g. acme.com).
  2. We'll show you a TXT record to create. In your DNS provider, add it at the domain root — Host @, Value the contextdx-verify=… string we generated.
  3. Once DNS has propagated (usually a few minutes), come back and click Verify.
Note

A domain can be verified by only one organization. If verification fails, double-check the record is on the root (@) and that the value matches exactly, then give DNS a little longer to propagate.

Step 4 — Test, then require SSO

Enforcement is deliberately gated behind a working test login, so you can't lock your team out with a misconfigured IdP.

  1. Open your SSO login URL — ideally in a private window, so your admin session stays signed in — and sign in through your IdP. You should land in the portal. First-time SSO users join your organization automatically as contributors, up to your seat limit.
  2. Back on the settings page, click Confirm test login.
  3. When both checklist items are green — at least one verified domain, and one successful test login — you can turn on Require SSO. From then on, members on your verified domains can no longer sign in with a password or Google; they're sent to your IdP instead.
Warning

The organization owner is always exempt from Require SSO. That's the safety hatch: even if your IdP goes down or is misconfigured, the owner can still get in with a password and fix the connection. Everyone else on a verified domain must use SSO.

How it behaves day to day

Just-in-time membership

The first time someone signs in through your IdP, we create their ContextDx account and add them to your organization as a contributor — no invite needed. An admin can raise their role later in Settings → Team.

Provisioning respects your seat limit: if no seats are free, the sign-in is refused with a clear message rather than silently over-filling your plan. Free up a seat (or add one) and they'll get in on the next try.

Linking existing accounts

If someone already had a ContextDx account with a password, that account isn't duplicated. On their first SSO sign-in we link the IdP identity to the existing account by matching the verified email — same account, same boards, now reached through SSO.

Removing access

Removing or deactivating a user in your IdP stops new SSO sign-ins for that person. To cut off an active session immediately, also suspend the member in Settings → Team. Automated de-provisioning through SCIM is on the roadmap.

Single logout

Signing out of ContextDx ends your ContextDx session — it does not sign you out of your IdP. SAML Single Logout (SLO) isn't supported today.

Verify your setup

Run through this once the connection is live:

  • The IdP app is assigned to your test user (done)
  • Test Connection succeeds in the SSO configuration panel
  • You can sign in at portal.contextdx.com/login/sso/<slug>
  • A first-time SSO user lands in the portal as a contributor
  • Your domain shows Verified after the TXT record is added
  • Typing a work email on the login page offers Continue with SSO
  • With Require SSO on, a password login for a verified-domain user is refused
  • The organization owner can still sign in with a password

What's next

Permissions & Access

Control who can view and edit boards once your team is signed in.

Organization Settings

Configure roles, archetypes, and the rest of your organization.

PreviousBoards APINextPermissions & Access Control

On this page

Enterprise SSOBefore you startStep 1 — Create the app in your IdPStep 2 — Connect it in the portalStep 3 — Verify your email domainStep 4 — Test, then require SSOHow it behaves day to dayVerify your setupWhat's next