Why SSO integration matters
SSO provides centralized access control, automatic user provisioning and deprovisioning, role-based permissions, and compliance with enterprise identity policies. Without SSO, you manage user access manually, permissions drift over time, and offboarded employees retain access.
SSO integration is critical for teams with 20+ users, multiple departments, or compliance requirements (SOC 2, ISO 27001).
Integration steps
1. Configure SAML or OIDC with your identity provider
Use SAML 2.0 or OIDC to connect the agent platform to your identity provider (Okta, Azure AD, Google Workspace). Configure SSO settings in your identity provider and in the agent platform. Test login flow before enforcing SSO for all users.
2. Map SSO groups to agent platform roles
Map your identity provider groups to agent platform roles (admin, department lead, viewer). For example, map "Engineering" group to "Admin" role, "Sales Managers" group to "Department Lead" role. When users are added to or removed from groups, their permissions update automatically.
3. Enable Just-in-Time provisioning
Just-in-Time (JIT) provisioning creates user accounts automatically when users log in via SSO for the first time. This eliminates manual account creation and ensures all users authenticate via SSO.
4. Configure automatic deprovisioning
When a user is removed from your identity provider, automatically revoke their access to the agent platform. Optionally, pause or disable agents owned by offboarded users.
5. Enforce SSO-only access
Disable email/password authentication and require SSO for all users. This ensures centralized access control and prevents users from bypassing SSO with local accounts.
6. Test SSO integration before rollout
Test login, group mapping, provisioning, and deprovisioning before enforcing SSO for all users. Verify that users can log in, their roles are correct, and offboarded users lose access immediately.
Best practices
- Map SSO groups to roles automatically. Automatic group mapping eliminates manual permission management and prevents drift.
- Enable Just-in-Time provisioning. Eliminate manual account creation by creating accounts automatically on first SSO login.
- Configure automatic deprovisioning. When users are removed from your identity provider, revoke access immediately.
- Enforce SSO-only access for compliance. Disable email/password authentication to ensure all access goes through SSO.
- Test thoroughly before rollout. Verify login, group mapping, provisioning, and deprovisioning work correctly.
Frequently asked questions
Can agents use SSO credentials to access external systems?
No. Agents use service accounts or OAuth connections to access external systems. SSO controls who can manage agents, not how agents authenticate to external systems.
What happens when a user is removed from SSO?
They immediately lose access to the agent platform. Their agents continue running unless you configure automatic deprovisioning to pause agents when users are removed.
Can we map SSO groups to agent permissions?
Yes. Map SSO groups to roles (admin, department lead, viewer). When users are added to or removed from groups, their permissions update automatically.
Do we need SSO for small teams?
No. SSO is valuable for teams with 20+ users, multiple departments, or compliance requirements. Smaller teams can use email/password authentication.