Single Sign-On (SSO)
Configure SAML2 or OAuth2 SSO so your team can log in with your identity provider
SSO lets your organization's members log in to MentorStack using your existing identity provider (IdP) — no separate passwords to manage. MentorStack supports both SAML 2.0 and OAuth 2.0 / OIDC.
Note
SSO is available on the Growth plan and above. Contact support if you need help migrating existing accounts to SSO.
Before you start
You'll need admin access to your identity provider (Okta, Azure AD, Google Workspace, OneLogin, etc.) to retrieve the values MentorStack requires.
SAML 2.0 configuration
Go to Settings → Security → Single Sign-On and select SAML 2.0.
| Field | Where to find it |
|---|---|
| IdP Entity ID | Your IdP's SAML metadata, often labeled Issuer or Entity ID |
| IdP SSO URL | The SAML login endpoint from your IdP |
| X.509 Certificate | The signing certificate from your IdP's metadata |
Paste in the values and click Save. MentorStack will display your Service Provider (SP) metadata — copy the SP Entity ID and ACS URL into your IdP's app configuration.
Testing
Click Test SAML configuration to trigger a test login flow. MentorStack will report whether the assertion was accepted or show an error with enough detail to diagnose the issue before you enforce SSO for all users.
OAuth 2.0 / OIDC configuration
Go to Settings → Security → Single Sign-On and select OAuth 2.0.
| Field | Where to find it |
|---|---|
| Client ID | Created when you register MentorStack as an app in your IdP |
| Client Secret | Generated alongside the Client ID |
| Authorization URL | Your IdP's OAuth authorization endpoint |
| Token URL | Your IdP's OAuth token endpoint |
The redirect URI to register in your IdP is shown in the setup form.
Enforcing SSO
Once configured and tested, toggle Enforce SSO to require all members to log in via your IdP. After enforcement is enabled:
- Existing password-based sessions remain active until they expire
- Password login is disabled for all non-admin accounts
- New members provisioned via invite will be directed to your IdP
Warning
Test your SSO configuration thoroughly before enforcing it. If your IdP is misconfigured, members may be locked out. As the org admin, you can disable enforcement from your account settings at any time.
Troubleshooting
"Invalid assertion signature" — The certificate in MentorStack doesn't match the one your IdP is signing with. Re-export the signing certificate from your IdP and update it in settings.
"Audience mismatch" — The SP Entity ID configured in your IdP doesn't match the one MentorStack shows. Copy it exactly — no trailing slashes.
"User not found after SSO" — The email attribute in the SAML assertion must match the user's email in MentorStack. Check that your IdP is sending email as an attribute.