Docs

Bond Trials Docs

Customer onboarding

Setting up a new organization and SSO from scratch

This guide walks through everything needed to bring a new customer organization live on Bond Trials — from creating their workspace to connecting their identity provider and handing off to their team lead. The process takes about 15 minutes once you have the customer's IdP credentials.

Create the organization

Every customer gets their own organization — an isolated workspace with its own trials, patients, storage, and members. No data crosses org boundaries.

  1. 1

    Open Team view

    In the Bond dashboard, navigate to Team in the left sidebar.
  2. 2

    Create organization

    Click + New Organization, enter the customer's full legal name, a URL-safe slug (e.g. mass-general), and select their preferred AWS region for data residency.
  3. 3

    Copy the org ID

    Open Prisma Studio, find the new Organization row, and copy its id field — you'll need it when linking SSO.

SSO — Azure AD (Microsoft Entra)

Follow these steps if the customer uses Microsoft 365 / Azure AD.

  1. 1

    Register an app in Azure Portal

    Go to portal.azure.com → App registrations → New registration. Name it Bond Trials. Set supported account types to Accounts in any organizational directory. Add the redirect URI: https://app.bondtrials.com/api/auth/callback/microsoft-entra-id
  2. 2

    Add a client secret

    Certificates & secrets → New client secret. Copy the Value immediately — it only shows once.
  3. 3

    Collect credentials

    From the app Overview tab: Application (client) ID and Directory (tenant) ID. Together with the secret, these are the three values you need.
  4. 4

    Set env vars in Vercel

    AZURE_AD_CLIENT_ID, AZURE_AD_CLIENT_SECRET. Leave AZURE_AD_TENANT_ID unset — Bond defaults to common which supports all tenants.

Customer IT requirement

The customer's Azure AD admin must grant consent to the Bond Trials app the first time a user signs in. Azure will prompt them automatically — no extra steps needed from your side.

SSO — Okta

Follow these steps if the customer uses Okta.

  1. 1

    Create an app integration in Okta

    Applications → Create App Integration → OIDC → Web Application. Set the sign-in redirect URI to: https://app.bondtrials.com/api/auth/callback/okta
  2. 2

    Collect credentials

    From the app's General tab: Client ID and Client Secret. From the Okta dashboard top-right: Okta domain (e.g. acme.okta.com).
  3. 3

    Set env vars in Vercel

    OKTA_CLIENT_ID, OKTA_CLIENT_SECRET, OKTA_ISSUER (the full domain with https://).

Link SSO to the org

Once the IdP app is created, link the customer's tenant to their Bond org so that users who sign in via SSO land in the right workspace automatically.

  1. 1

    Open the customer's org in Team view

    Switch to their org using the org switcher, then go to Team.
  2. 2

    Scroll to SSO Tenant Mappings

    The panel appears at the bottom of the org detail view, visible to org owners only.
  3. 3

    Add a mapping

    Click Add mapping, select the provider (Microsoft or Okta), paste the tenant identifier (Azure tenant GUID or Okta domain), and set the default role.
  4. 4

    Save

    Takes effect immediately — no redeploy needed.

Finding the Azure tenant ID

The customer's IT admin can find their tenant ID in Azure Portal → Azure Active Directory → Overview → Tenant ID. It's a GUID like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

Test sign-in

Once the tenant mapping is in place, any user the customer's IT team grants access to in Azure AD or Okta can sign straight into Bond — no invite needed. Bond provisions them into the correct organization automatically on first login.

  1. 1

    Ask the team lead to go to the login page

    They click the Microsoft or Okta button and sign in with their corporate credentials.
  2. 2

    Bond provisions them automatically

    Their tenant is matched to the org via the mapping. They land in the right workspace with the configured default role.
  3. 3

    Their IT team controls access from here

    Anyone the customer's IT team grants access to in Azure/Okta can sign in. No further action needed from Bond.

Handoff checklist

Before marking the customer as live, confirm the following:

  • Organization created with the correct name, slug, and AWS region.
  • SSO env vars set in Vercel and deployment is live.
  • SsoTenantMapping row exists with the correct provider, tenant ID, and org ID.
  • At least one org admin has successfully signed in via SSO.
  • That admin can see their organization in the org switcher.
  • A test trial can be created and saved without errors.
  • EHR credentials configured if the customer has a connected system.

Phone numbers

If the customer is doing prescreening calls, they also need a phone number provisioned in the Phones view before placing any calls.