AEO Optima Docs
Configuration

Enterprise SSO Setup

Configure SAML 2.0 or OIDC single sign-on for your organization, including group-role mapping and just-in-time provisioning.

Overview

Enterprise SSO allows your organization's members to sign in to AEO Optima using their existing corporate identity provider (IdP). AEO Optima supports both SAML 2.0 and OpenID Connect (OIDC) protocols, with automatic group-to-role mapping and just-in-time user provisioning.

When SSO is enforced, password-based login is disabled for all organization members, ensuring all authentication flows through your corporate IdP.

Supported Protocols

ProtocolBest ForRequirements
SAML 2.0Enterprise IdPs like Okta, Azure AD, OneLogin, PingFederateMetadata URL or XML
OIDCModern IdPs, Google Workspace, Auth0Issuer URL, Client ID, Client Secret

Configuration

SAML 2.0 Setup

  1. In your IdP, create a new SAML application:

    • Set the ACS (Assertion Consumer Service) URL to your AEO Optima instance's auth callback URL.
    • Set the Entity ID to your organization's identifier.
    • Configure attribute mappings for email, name, and groups.

  2. In AEO Optima, navigate to Settings and then SSO Configuration:

    • Select SAML as the provider type.
    • Enter the Metadata URL (preferred) or paste the Metadata XML from your IdP.
    • Add your organization's email domain(s) (e.g., yourcompany.com).
    • Save the configuration.

OIDC Setup

  1. In your IdP, register a new OIDC application:

    • Set the redirect URI to your AEO Optima instance's auth callback URL.
    • Note the Client ID and Client Secret.
    • Ensure the openid, email, and profile scopes are enabled.

  2. In AEO Optima, navigate to Settings and then SSO Configuration:

    • Select OIDC as the provider type.
    • Enter the Issuer URL (e.g., https://accounts.google.com or https://your-tenant.okta.com).
    • Enter the Client ID and Client Secret.
    • Add your organization's email domain(s).
    • Save the configuration.

The system validates your OIDC configuration by fetching the discovery document at {issuer_url}/.well-known/openid-configuration and checking for required fields (issuer, authorization_endpoint, token_endpoint).

Group-Role Mapping

Map your IdP's groups to AEO Optima organization roles. When a user authenticates via SSO, their IdP groups are checked against these mappings to determine their role.

Available Roles

RolePermissions
OwnerFull access including billing and organization deletion.
AdminManage members, projects, settings, and configurations.
MemberCreate and manage prompts, snapshots, and analyses.
ViewerRead-only access to dashboards and reports.

Mapping Configuration

Add mappings in the format IdP Group Name -> Organization Role:

IdP GroupAEO Optima Role
Engineeringadmin
Marketingmember
Executivesowner
Contractorsviewer

Role Resolution

When a user belongs to multiple IdP groups with different role mappings, the highest-privilege role is assigned. The hierarchy is: owner > admin > member > viewer.

If no group mapping matches, the user is assigned the default role (configurable, defaults to member).

Just-in-Time Provisioning

When enabled (the default), JIT provisioning automatically creates organization membership for new users the first time they authenticate via SSO. This eliminates the need to pre-create accounts or send invitations.

  • Auto-provision — Automatically adds the user as an organization member with the resolved role.
  • Audit logging — Each JIT-provisioned membership is logged with the user's email, assigned role, and IdP groups for compliance tracking.

Enforcement Mode

When SSO is set to enforced:

  • Password-based login is disabled for all members of the organization.
  • Users with email addresses matching the configured domains must authenticate via the IdP.
  • This ensures full compliance with corporate authentication policies.

When SSO is enabled but not enforced, members can use either SSO or password-based login.

Domain-Based SSO Lookup

AEO Optima can automatically detect when a user's email domain matches an SSO-configured organization and redirect them to the appropriate IdP. This provides a seamless login experience:

  1. User enters their email address on the login page.
  2. The system checks if the email domain matches any SSO-configured organization.
  3. If a match is found, the user is redirected to their corporate IdP.
  4. After successful authentication, the user is returned to AEO Optima with their role automatically resolved.

How to Use

  1. Navigate to Settings, then SSO Configuration.
  2. Choose your protocol (SAML or OIDC) and enter the required provider details.
  3. Add your email domain(s) so the system can match users to your organization.
  4. Configure group-role mappings based on your IdP's group structure.
  5. Test by signing in with an SSO-enabled account.
  6. Enable enforcement once you have confirmed SSO works correctly for all members.

Plan Requirements

Enterprise SSO is available on Enterprise plans only.

Previous

Security & MFA

Next

AEO Tools Comparison

On this page