dealhead supports Single Sign-On (SSO) for client organizations using your existing corporate identity provider. Once configured, your users access dealhead at app.dealhead.com and authenticate through your organization's standard login process — the same way they sign into your other corporate applications. If they are already authenticated in your corporate environment, access to dealhead can be automatic with no additional login required.
SSO is implemented using the OpenID Connect (OIDC) protocol, federating with your organization's Microsoft Entra ID tenant. Your identity provider handles authentication (verifying who the user is), while dealhead handles authorization (user roles, project access, and permissions) internally. dealhead does not store or manage passwords for SSO-enabled accounts.
⚠️ SSO Availability: Single Sign-On is included as part of dhConnect, dealhead's integration service that also includes Document Management System (DMS) connectivity. To learn more about dhConnect or to add it to your organization's subscription, contact [email protected]. Once your dhConnect subscription is active, the dealhead team will coordinate SSO onboarding with your IT team using this guide.
How It Works
Once SSO is enabled for your organization, the user experience is straightforward:
Step | What Happens |
1 | User navigates to app.dealhead.com |
2 | dealhead identifies the user's organization and redirects to your corporate login page |
3 | The user authenticates through your organization's standard login process, including MFA |
4 | Upon successful authentication, the user is returned to dealhead and their session begins |
On a user's first SSO login, dealhead links their corporate identity with a dealhead account. A dealhead administrator within your organization then assigns appropriate roles and project access. All subsequent logins are seamless.
Users who are not part of an SSO-enabled organization continue to use standard username and password authentication at the same URL.
Security & Compliance
Shared Responsibility Model
SSO creates a shared security boundary between dealhead and your organization:
Responsibility | Owner |
User authentication (identity verification) | Your organization's Entra ID tenant |
Multi-factor authentication (MFA) enforcement | Your organization's Conditional Access policies |
User authorization (roles, project access, permissions) | dealhead platform |
Session management and token handling | dealhead platform |
User provisioning and deprovisioning | Coordinated — see User Lifecycle below |
MFA Requirement
dealhead requires that multi-factor authentication is enforced for all users accessing external SaaS applications. As part of SSO enablement, your organization will be asked to confirm in writing that MFA is enforced via Conditional Access or security defaults in your Entra ID tenant. This attestation is a prerequisite for enabling SSO.
User Lifecycle
When SSO is enabled, your organization controls the authentication boundary. If a user is disabled or removed from your Entra ID tenant, they will no longer be able to authenticate to dealhead. We recommend notifying dealhead when users leave the organization so that their dealhead roles and project access can be updated accordingly.
What We Need From Your IT Team
To enable SSO, your IT team will need to complete the following:
# | Action | Details |
1 | Confirm identity provider | Confirm that Microsoft Entra ID is your organization's primary identity provider for corporate authentication. |
2 | Register dealhead in your Entra ID tenant | Register dealhead as an enterprise application and grant admin consent. See Entra ID App Registration below for instructions. |
3 | Confirm MFA enforcement | Provide written confirmation that MFA is enforced via Conditional Access or security defaults for users accessing external SaaS applications. |
4 | Provide email domain(s) | Confirm your organization's primary email domain(s) (e.g., @yourfirm.com) that should be associated with SSO. |
5 | Designate a technical contact | Identify an IT contact for configuration coordination and testing. |
6 | Communicate to your users | Inform your users that dealhead is accessible at app.dealhead.com. No special URL is required — SSO routing is handled automatically. Optionally, you may add dealhead to your Entra ID My Apps panel, distribute as an intranet link, or add as a Teams tab. |
Entra ID App Registration
To enable SSO, an IT administrator in your organization will need to register dealhead as a trusted application in your Entra ID tenant.
Step 1: Register the Application
Sign in to the Azure Portal and navigate to Microsoft Entra ID → App registrations → New registration.
Name: dealhead
Supported account types: Accounts in this organizational directory only (Single tenant)
Redirect URI: Web: [dealhead will provide the redirect URI during onboarding]
Click Register.
Step 2: Record Application Details
After registration, provide the following values to dealhead:
Value | Where to Find It |
Application (client) ID | App registration → Overview |
Directory (tenant) ID | App registration → Overview |
Client secret | App registration → Certificates & secrets → New client secret |
⚠️ Important: Please share these values securely. dealhead will provide a secure method for exchanging credentials during the onboarding process.
Step 3: Grant Admin Consent
Navigate to App registration → API permissions.
Confirm the following permissions are present: [dealhead will specify required permissions during onboarding]
Click Grant admin consent for [your organization]
Step 4: Configure Optional Claims (If Required)
Navigate to App registration → Token configuration → Add optional claim.
Token type: ID
Select: [dealhead will specify required claims during onboarding]
💡 Tip: If your organization uses a custom domain, restricts external application access through Conditional Access, or has specific network policies (IP allowlists, VPN requirements), please let us know so we can adjust the configuration accordingly.
Information We Need From You
To complete SSO configuration on our side, please provide:
Application (client) ID from the app registration
Directory (tenant) ID
Client secret value
Your organization's primary email domain(s) (e.g., @yourfirm.com)
Technical contact name and email for configuration and testing
Confirmation of MFA enforcement (written attestation)
Any network restrictions, IP allowlists, or Conditional Access policies that may affect external application access
Our implementation team will work with you to safely and securely communicate this information.
Testing & Go-Live
Once both sides are configured, dealhead will coordinate a testing window with your technical contact:
Test | What We Verify |
SSO redirect | Users with your email domain are routed to your organization's login page |
Authentication | Successful sign-in through your IdP, including MFA |
Identity linking | Corporate identity is correctly linked to the user's dealhead account |
Session behavior | Logout and re-authentication behave as expected |
Access control | User roles and project permissions are correctly applied after SSO login |
After successful testing, SSO is enabled for all users with your organization's email domain. Users can begin accessing dealhead immediately at app.dealhead.com.
Technical Summary
Component | Detail |
SSO Protocol | OpenID Connect (OIDC) |
Client Identity Provider | Microsoft Entra ID |
Authentication | Delegated to your organization's Entra ID tenant |
MFA | Enforced by your organization's Conditional Access policies |
Authorization | Managed by dealhead (user roles, project access) |
Login URL | |
Data Encryption | TLS 1.2+ in transit; AES-256 at rest |
Frequently Asked Questions
Do our users need to create a separate dealhead account?
Do our users need to create a separate dealhead account?
A: No. When SSO is enabled, your users authenticate with their existing corporate credentials. dealhead automatically links their corporate identity to a dealhead account on first login.
What happens if a user leaves our organization?
What happens if a user leaves our organization?
A: If a user is disabled or removed from your Entra ID tenant, they will no longer be able to authenticate to dealhead. We recommend notifying dealhead so their account permissions can be updated.
Do users need a special URL to access dealhead?
Do users need a special URL to access dealhead?
A: No. All users access dealhead at app.dealhead.com. The system automatically identifies SSO-enabled organizations and routes users to the appropriate login experience.
Is a VPN required to access dealhead?
Is a VPN required to access dealhead?
A: No. dealhead is a cloud-hosted application accessible from any network. However, if your organization restricts access to external SaaS applications via Conditional Access policies (e.g., compliant device requirements, network location restrictions), those policies will apply when your users authenticate through your Entra ID tenant.
Can some users in our organization use SSO while others use password login?
Can some users in our organization use SSO while others use password login?
A: SSO is enabled at the organization level based on email domain. All users with your organization's email domain will be routed through SSO. Users with personal or non-organizational email addresses will continue to use standard authentication.
Getting Support
For questions about SSO configuration or onboarding, contact [email protected].