Skip to main content

SSO Integration with Early: Frequently Asked Questions

What happens if a user already has an account with email/password?

If a user has already signed up using email/password and then attempts to log in via SSO with the same email, they will encounter a conflict. Early recommends handling this by contacting support to merge or migrate the user account to the SSO-managed identity.

Can we disable other login methods for SSO users?

Yes. For companies using SSO, Early can configure the system so that users from your domain can only authenticate using your designated SSO provider. This ensures all user sessions are managed through your organization’s identity controls.

What happens if our IdP is temporarily unavailable?

If the client’s Identity Provider (IdP) is down, users will not be able to authenticate via SSO until the IdP service is restored. Early does not store user passwords for SSO-managed accounts, so fallback to password login is not available in this scenario. High-availability IdP infrastructure is recommended.

What does our company need to provide to set up SSO?

To integrate SSO with Early, your company must provide the following information:

Identity Provider Information:

  • Which Identity Provider (IdP) are you using? (e.g., Okta, Azure AD, Google Workspace, OneLogin)
  • Preferred protocol: SAML or OIDC

SAML Configuration (If SAML):

  • IdP Metadata file or URL
  • Entity ID (Issuer)
  • SSO URL (ACS Endpoint)
  • Signing Certificate

OIDC Configuration (If OIDC):

  • Client ID
  • Client Secret
  • Issuer/Discovery URL

Attribute Mapping Requirements

  • Mandatory: Email
  • Optional: Full Name

Security Considerations

  • Signed assertions
  • Single Logout (SLO) preferences

Test User Credentials

  • For validation and testing

Staging Environment

  • Availability of a staging IdP environment if applicable

What does Early provide back to us?

When setting up SSO, Early will provide your team with:

  • Firebase Redirect URIs / ACS URLs (for SAML or OIDC)
  • Scopes requested (for OIDC)
  • Optional: IP addresses or service URLs for whitelisting (if required)

How long does SSO integration typically take?

The process usually takes 1-2 weeks depending on responsiveness from both teams. This includes exchanging configuration details, testing in staging (if applicable), enabling production access, and final validation.

How is SSO usage billed?

SSO is part of Early’s enterprise offering.

Who should we contact for support or onboarding?

For onboarding assistance or technical support, please contact Early’s support team via support@startearly.ai or use the contact form on our website.