Skip to main content

Overview

Conduit supports enterprise Single Sign-On (SSO) so your team can log in with their existing corporate credentials. Instead of managing separate Conduit passwords, members authenticate through your identity provider (IdP), giving you centralized control over who can access your workspace. SSO is available on enterprise plans. Contact support@conduit.ai to enable it for your organization.

Supported Protocols

ProtocolDescription
SAML 2.0Industry-standard protocol supported by most enterprise IdPs
OIDCOpenID Connect for IdPs that support OAuth 2.0-based authentication
SCIM 2.0Automated user provisioning and deprovisioning via Directory Sync

Supported Identity Providers

Conduit works with any SAML 2.0 or OIDC-compliant identity provider, including:
  • Okta
  • Microsoft Entra ID (formerly Azure AD)
  • Google Workspace
  • OneLogin
  • JumpCloud
  • PingFederate
  • Custom SAML/OIDC providers

Setting Up SSO

Prerequisites

  • An enterprise Conduit plan
  • Admin access to both Conduit and your identity provider
  • Your IdP’s SAML metadata URL or OIDC discovery endpoint

Step 1: Contact Conduit

Reach out to your account manager or email support@conduit.ai to request SSO enablement for your workspace. We’ll provision the SSO connection and provide you with:
  • ACS URL (Assertion Consumer Service) for SAML
  • Entity ID / Audience URI
  • Redirect URI for OIDC

Step 2: Configure Your Identity Provider

Using the details from Step 1, create a new application in your IdP:
  1. In Okta Admin, go to Applications > Create App Integration
  2. Select SAML 2.0
  3. Enter the ACS URL and Entity ID provided by Conduit
  4. Set Name ID format to EmailAddress
  5. Map the user’s email as the primary attribute
  6. Assign users or groups who should have access
  1. In Azure Portal, go to Enterprise Applications > New Application
  2. Select Create your own application > Non-gallery
  3. Under Single sign-on, select SAML
  4. Enter the ACS URL as the Reply URL and Entity ID as the Identifier
  5. Set Name ID format to EmailAddress
  6. Assign users or groups
  1. In Google Admin, go to Apps > Web and mobile apps > Add custom SAML app
  2. Enter the ACS URL and Entity ID
  3. Set Name ID format to EMAIL
  4. Map Primary email to email
  5. Enable for the relevant organizational units

Step 3: Share IdP Metadata

Send your IdP’s SAML metadata URL (or XML file) back to Conduit support. For OIDC, provide your discovery endpoint and client credentials. We’ll complete the connection on our end.

Step 4: Test the Connection

Once configured, test the SSO flow:
  1. Open an incognito/private browser window
  2. Navigate to your Conduit workspace login
  3. Select Sign in with SSO
  4. Authenticate through your IdP
  5. Verify you land in the correct workspace with the expected role

How SSO Authentication Works

Once SSO is enabled for your workspace:
  1. Member visits Conduit and selects SSO login
  2. Conduit redirects to your identity provider
  3. Member authenticates with their corporate credentials (and MFA if configured)
  4. IdP sends assertion back to Conduit confirming the member’s identity
  5. Conduit grants access based on the authenticated email matching a workspace member

Directory Sync (SCIM)

Directory Sync automates user provisioning and deprovisioning through the SCIM 2.0 protocol. When you add or remove someone in your identity provider, the change automatically propagates to Conduit.

Supported Providers for Directory Sync

ProviderProvisioningDeprovisioningAttribute Sync
OktaYesYesYes
Microsoft Entra IDYesYesYes
Directory Sync requires an existing SAML or OIDC enterprise SSO connection. Set up SSO first, then enable Directory Sync on top of it.

What Gets Synced

When Directory Sync is active, the following user lifecycle events are handled automatically:
  • User created in IdP — a corresponding Conduit account is provisioned and the member is added to the workspace
  • User updated in IdP — changes to name or email propagate to Conduit automatically
  • User removed or disabled in IdP — the member is deactivated in Conduit and all active sessions are revoked immediately

Synced Attributes

AttributeDescription
Email addressPrimary identifier, used to match workspace membership
First nameSynced from IdP profile
Last nameSynced from IdP profile
Enabled/disabled statusControls whether the user can access Conduit

Setting Up Directory Sync

Step 1: Enable Directory Sync

Contact support@conduit.ai to enable Directory Sync on your existing SSO connection. We’ll provide you with:
  • SCIM Base URL — the endpoint your IdP will push changes to
  • Bearer Token — the authentication token for SCIM requests

Step 2: Configure Your Identity Provider

  1. In Okta Admin, go to your Conduit application
  2. Open the Provisioning tab and click Configure API Integration
  3. Enter the SCIM Base URL and Bearer Token provided by Conduit
  4. Test the connection
  5. Under To App, enable: Create Users, Update User Attributes, Deactivate Users
  6. Set the unique identifier to userName
  7. Assign users or groups to provision
  1. In Azure Portal, go to your Conduit enterprise application
  2. Navigate to Provisioning > Get started
  3. Set Provisioning Mode to Automatic
  4. Enter the SCIM Base URL as the Tenant URL and Bearer Token as the Secret Token
  5. Click Test Connection to verify
  6. Review the default attribute mappings (email, first name, last name)
  7. Set the provisioning scope and start provisioning

Step 3: Verify

After configuration, test the sync:
  1. Assign a test user to the Conduit application in your IdP
  2. Wait for the provisioning cycle (or trigger a manual sync)
  3. Verify the user appears in Settings > Members in Conduit
  4. Unassign the test user from the IdP
  5. Verify the user is deactivated in Conduit

Current Limitations

  • Group sync is not yet supported. Users are provisioned individually, not by group membership.
  • Custom attribute mapping is not available. Only the standard attributes listed above are synced.
  • Role mapping is not synced from IdP. Roles (Admin, Member) are still managed within Conduit.
  • Synced attributes are read-only in Conduit. Changes must be made in the IdP.

Member Management with SSO

Without Directory Sync

If you’re using SSO without Directory Sync, members must still be invited manually:
  1. Go to Settings > Members
  2. Click Add and enter the member’s corporate email
  3. Assign their role (Admin or Member)
  4. When they log in via SSO, they’ll automatically join the workspace
To revoke access without Directory Sync:
  • Remove from Conduit: Go to Settings > Members and remove the user
  • Remove from IdP: Unassign the user from the Conduit application in your IdP
Without Directory Sync, removing a user from your IdP prevents future logins but does not automatically remove them from the Conduit workspace. Remove them from both places to fully revoke access.

With Directory Sync

When Directory Sync is enabled, user lifecycle is managed from your IdP:
  • Adding members: Assign the user in your IdP, they’re automatically provisioned in Conduit
  • Removing members: Unassign or disable the user in your IdP, they’re automatically deactivated in Conduit with sessions revoked

Role Mapping

Roles (Admin, Member) are managed within Conduit, not synced from your IdP. After a user is provisioned or authenticates via SSO, their Conduit role determines what they can access.

Enforcing SSO

Once SSO is configured and tested, you can request SSO enforcement for your workspace. When enforced:
  • All members must authenticate through your IdP
  • Email/password login is disabled for the workspace
  • Social login (Google, GitHub) is disabled for the workspace
Contact support@conduit.ai to enable SSO enforcement.
We recommend testing SSO with a few members before enforcing it workspace-wide. Keep at least one admin with backup access during the transition.

Frequently Asked Questions

Yes. If your organization has multiple Conduit workspaces, SSO can be configured for each one. Members authenticate once through your IdP and can access any workspace they’ve been invited to.
MFA is handled by your identity provider. If your IdP requires MFA, members will complete the MFA challenge during SSO login. Conduit respects whatever authentication policies your IdP enforces.
If your IdP is unreachable, members won’t be able to log in via SSO. Contact Conduit support to temporarily enable backup authentication methods during an IdP outage.
Yes. Conduit supports automated user provisioning and deprovisioning via SCIM 2.0 (Directory Sync). Currently supported with Okta and Microsoft Entra ID. See the Directory Sync section above for setup instructions.
Yes. SSO connections can be scoped to specific email domains, ensuring only members with matching corporate email addresses can authenticate.