SALES / ONBOARDING GATE
AE Compliance Checklist
AE Compliance Checklist
One-page SIS gate for sales/onboarding. Complete during onboarding and attach to the tenant deal record as evidence.
Progress
0% Complete
NO-GO (missing required controls)
Tenant / Org Info
SSO Configuration
Protocol selectedOIDC preferred; SAML 2.0 supported; one enforced primary.
Routing confirmedDomain / org slug / email discovery.
Redirect/ACS URLs match exactlyNo “close enough” redirects in production.
OIDC issuer recorded (if OIDC)Issuer URL + discovery reachable + JWKS reachable.
SAML entity + ACS + cert recorded (if SAML)Cert expiry must be > 60 days at go-live.
Enforcement Policy
SSO Required policy setEnterprise must enforce SSO required.
Password login disabled when SSO requiredEliminates password drift and takeover surface.
MFA enforced via IdP policyEnterprise requires MFA enforcement.
Session revocation definedOn deprovision + on role downgrade (minimum).
SCIM
SCIM enabled (Enterprise required)Lifecycle automation: create/update/disable/optional delete.
SCIM token created + vaultedNever store tokens in email, chat, or screenshots.
Provision/update/disable confirmedactive=false must be respected.
Deprovision SLA acknowledgedEnterprise target < 2 minutes; Core max < 15 minutes.
Group sync + role mapping documentedMap by group ID; default least privilege.
Admin Experience
Identity Console presentSSO status + SCIM status + last sync + last error + test tools.
Break-glass configured (Enterprise required)Separate method + MFA + auditing + optional IP allowlist.
Audit Logging
Audit events capturedAuth + SCIM + admin config changes must be recorded.
Retention set1 year Core; 3+ years Enterprise or per contract.
Client knows where logs liveVisibility reduces support drag and compliance risk.
Evidence Notes
GO / NO-GO
Attachment rule
Evidence pack required
To clear the SIS gate, attach the exported checklist JSON (or printed PDF) plus engineer preflight output.