LinkStacked

Team & Enterprise

SSO and SAML — let your IdP handle who can log in to Linkstacked

Okta, Azure AD, Google Workspace, OneLogin, JumpCloud — connect Linkstacked to your identity provider and your IT team controls login lifecycle. Members are provisioned and deprovisioned through your existing offboarding flow.

Run your team

If you're at the scale where Linkstacked needs to fit into a real IT department, manually adding and removing team members is a compliance problem waiting to happen. Your offboarding checklist already has 27 entries; nobody remembers to log into the Linkstacked admin to revoke the marketing intern who left last quarter.

SSO via SAML lets your existing identity provider be the source of truth for who can log in. When IT deprovisions someone in Okta, that person loses Linkstacked access automatically. New hires get access the moment they're added to the right group in your IdP. Zero manual administration on our side.

What we support

  • SAML 2.0 with any compliant IdP — Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, Auth0, PingFederate, ADFS, Duo, Rippling
  • SCIM 2.0 provisioning for automated user lifecycle — create, update, deactivate via your IdP without anyone touching Linkstacked
  • Group-to-role mapping — your IdP groups (e.g. 'Marketing-Admins') map to Linkstacked workspace roles (e.g. 'Admin') automatically
  • Multi-IdP setups for parent-company / subsidiary structures — each subsidiary brings their own IdP into the same workspace
  • Just-in-time (JIT) provisioning — first-time SAML login auto-creates the Linkstacked member with the right role from group mapping

Tip

SCIM is the unsung hero. SAML solves login. SCIM solves provisioning. Together they mean IT controls the entire user lifecycle and nobody in your team has to remember to grant or revoke access manually.

Setup time, honestly

For Okta, Azure AD, or Google Workspace: about 30 minutes if you have your IdP admin available. The flow:

  1. 1In Linkstacked: enable SSO, copy the SP metadata URL and ACS URL.
  2. 2In your IdP: create a new SAML app, paste the URLs, download the IdP metadata.
  3. 3Back in Linkstacked: paste the IdP metadata.
  4. 4Map your IdP groups to Linkstacked roles. Three group mappings cover most teams: Admins, Editors, Viewers.
  5. 5Test with one user, then flip the workspace to SSO-required.

For more bespoke setups (ADFS, Ping, multi-IdP), expect 90 minutes and one Zoom with our solutions engineer. We've never seen a setup that couldn't be completed in a single working day.

Optional and required SSO modes

Two SSO modes per workspace:

  • Optional — members can use either SSO or password to log in. Useful during pilot rollout, or for contractors who aren't in your IdP.
  • Required — only SSO works. Members trying to log in with a password are redirected to the IdP. This is the right mode for compliance-bound deployments.

We strongly recommend Required mode after a 2-week transition window. Optional mode is a security hole — if a member's password leaks, an attacker can bypass SSO entirely. The transition window exists so you can catch and fix any edge cases before locking down.

Backup access and break-glass

Every SSO-required workspace has one designated 'break-glass' account — a single email that retains password fallback in case the IdP itself fails. This is a security best practice; if your Okta tenant goes down for an emergency, you still have one path in to disable SSO or rotate credentials.

The break-glass account is heavily audited — every login fires a Slack/email alert to the workspace Owner, and you can require MFA enforcement on it. We document the setup in the SSO admin guide.

Audit and compliance

Every SSO event — successful logins, failed logins, IdP errors, role updates via SCIM — is logged in the audit log with full IdP context. For SOC2 and ISO27001 auditors this is what they ask for; we have the exports ready to hand over.

We're SOC2 Type 2 certified, with the report available under NDA. Our security and engineering team meets quarterly to review the controls. If your security review board needs a specific document or attestation, ask — we probably have it.

We onboarded Linkstacked into our SOC2-mandated SaaS catalogue in one afternoon. The SSO setup was actually faster than for the established vendors we use. That doesn't usually happen with newer tools.
Veena, IT operations lead at a global fintech

Plan and price

SSO/SAML and SCIM are Scale-only features. We don't offer them on Build deliberately — running enterprise SSO is operationally heavy, requires SOC2-grade infrastructure on our side, and properly belongs in the conversation that includes audit log, white label, named CSM, and enterprise procurement support. If SSO is a hard requirement for your IT, you're a Scale customer.

Talk to enterprise sales

The realistic next step is a 30-minute scoping call with our enterprise solutions team. We'll walk through your IdP setup, your compliance constraints (SOC2, ISO, HIPAA, etc.), and your provisioning policy. Most enterprise customers go from first call to full deployment in 3-6 weeks.

Share this with a teammate evaluating Linkstacked.

More use-cases

Team & Enterprise

White label — your brand all the way down, no 'powered by' anywhere

Remove every trace of Linkstacked from the rendered page. Custom favicon, custom error pages, custom support email, custom login screen. The end user never knows your link-in-bio is a third-party service.

Read
Team & Enterprise

Audit log — every action, every member, every timestamp

180 days (Build) or unlimited (Scale) of immutable action logs. Who edited what link, when, from where, before and after. The single source of truth for 'what happened on Tuesday morning' questions.

Read
Team & Enterprise

Roles and permissions — exactly what each person can edit, no more

Owner, Admin, Editor, Viewer. Each role has clear permissions across content, billing, members, and integrations. Configure once, never worry about an intern accidentally deleting the live theme.

Read

Ready to ship this on Linkstacked?

linkstacked.com/