> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conduit.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO) & Directory Sync

> Connect your identity provider to Conduit for centralized authentication (SAML/OIDC) and automated user provisioning (SCIM).

## Overview

Conduit supports enterprise Single Sign-On (SSO) so your team can log in with their existing corporate credentials. Instead of managing separate Conduit passwords, members authenticate through your identity provider (IdP), giving you centralized control over who can access your workspace.

SSO is available on enterprise plans. Contact [support@conduit.ai](mailto:support@conduit.ai) to enable it for your organization.

## Supported Protocols

| Protocol     | Description                                                         |
| ------------ | ------------------------------------------------------------------- |
| **SAML 2.0** | Industry-standard protocol supported by most enterprise IdPs        |
| **OIDC**     | OpenID Connect for IdPs that support OAuth 2.0-based authentication |
| **SCIM 2.0** | Automated user provisioning and deprovisioning via Directory Sync   |

## Supported Identity Providers

Conduit works with any SAML 2.0 or OIDC-compliant identity provider, including:

* **Okta**
* **Microsoft Entra ID** (formerly Azure AD)
* **Google Workspace**
* **OneLogin**
* **JumpCloud**
* **PingFederate**
* **Custom SAML/OIDC providers**

## Setting Up SSO

### Prerequisites

* An enterprise Conduit plan
* Admin access to both Conduit and your identity provider
* Your IdP's SAML metadata URL or OIDC discovery endpoint

### Step 1: Contact Conduit

Reach out to your account manager or email [support@conduit.ai](mailto:support@conduit.ai) to request SSO enablement for your workspace. We'll provision the SSO connection and provide you with:

* **ACS URL** (Assertion Consumer Service) for SAML
* **Entity ID** / **Audience URI**
* **Redirect URI** for OIDC

### Step 2: Configure Your Identity Provider

Using the details from Step 1, create a new application in your IdP:

<AccordionGroup>
  <Accordion title="Okta">
    1. In Okta Admin, go to **Applications** > **Create App Integration**
    2. Select **SAML 2.0**
    3. Enter the ACS URL and Entity ID provided by Conduit
    4. Set **Name ID format** to `EmailAddress`
    5. Map the user's email as the primary attribute
    6. Assign users or groups who should have access
  </Accordion>

  <Accordion title="Microsoft Entra ID (Azure AD)">
    1. In Azure Portal, go to **Enterprise Applications** > **New Application**
    2. Select **Create your own application** > **Non-gallery**
    3. Under **Single sign-on**, select **SAML**
    4. Enter the ACS URL as the **Reply URL** and Entity ID as the **Identifier**
    5. Set **Name ID format** to `EmailAddress`
    6. Assign users or groups
  </Accordion>

  <Accordion title="Google Workspace">
    1. In Google Admin, go to **Apps** > **Web and mobile apps** > **Add custom SAML app**
    2. Enter the ACS URL and Entity ID
    3. Set **Name ID format** to `EMAIL`
    4. Map `Primary email` to `email`
    5. Enable for the relevant organizational units
  </Accordion>
</AccordionGroup>

### Step 3: Share IdP Metadata

Send your IdP's SAML metadata URL (or XML file) back to Conduit support. For OIDC, provide your discovery endpoint and client credentials. We'll complete the connection on our end.

### Step 4: Test the Connection

Once configured, test the SSO flow:

1. Open an incognito/private browser window
2. Navigate to your Conduit workspace login
3. Select **Sign in with SSO**
4. Authenticate through your IdP
5. Verify you land in the correct workspace with the expected role

## How SSO Authentication Works

Once SSO is enabled for your workspace:

1. **Member visits Conduit** and selects SSO login
2. **Conduit redirects** to your identity provider
3. **Member authenticates** with their corporate credentials (and MFA if configured)
4. **IdP sends assertion** back to Conduit confirming the member's identity
5. **Conduit grants access** based on the authenticated email matching a workspace member

## Directory Sync (SCIM)

Directory Sync automates user provisioning and deprovisioning through the SCIM 2.0 protocol. When you add or remove someone in your identity provider, the change automatically propagates to Conduit.

### Supported Providers for Directory Sync

| Provider               | Provisioning | Deprovisioning | Attribute Sync |
| ---------------------- | :----------: | :------------: | :------------: |
| **Okta**               |      Yes     |       Yes      |       Yes      |
| **Microsoft Entra ID** |      Yes     |       Yes      |       Yes      |

<Note>
  Directory Sync requires an existing SAML or OIDC enterprise SSO connection. Set up SSO first, then enable Directory Sync on top of it.
</Note>

### What Gets Synced

When Directory Sync is active, the following user lifecycle events are handled automatically:

* **User created in IdP** — a corresponding Conduit account is provisioned and the member is added to the workspace
* **User updated in IdP** — changes to name or email propagate to Conduit automatically
* **User removed or disabled in IdP** — the member is deactivated in Conduit and all active sessions are revoked immediately

### Synced Attributes

| Attribute               | Description                                            |
| ----------------------- | ------------------------------------------------------ |
| Email address           | Primary identifier, used to match workspace membership |
| First name              | Synced from IdP profile                                |
| Last name               | Synced from IdP profile                                |
| Enabled/disabled status | Controls whether the user can access Conduit           |

### Setting Up Directory Sync

#### Step 1: Enable Directory Sync

Contact [support@conduit.ai](mailto:support@conduit.ai) to enable Directory Sync on your existing SSO connection. We'll provide you with:

* **SCIM Base URL** — the endpoint your IdP will push changes to
* **Bearer Token** — the authentication token for SCIM requests

#### Step 2: Configure Your Identity Provider

<AccordionGroup>
  <Accordion title="Okta">
    1. In Okta Admin, go to your Conduit application
    2. Open the **Provisioning** tab and click **Configure API Integration**
    3. Enter the **SCIM Base URL** and **Bearer Token** provided by Conduit
    4. Test the connection
    5. Under **To App**, enable: **Create Users**, **Update User Attributes**, **Deactivate Users**
    6. Set the unique identifier to `userName`
    7. Assign users or groups to provision
  </Accordion>

  <Accordion title="Microsoft Entra ID">
    1. In Azure Portal, go to your Conduit enterprise application
    2. Navigate to **Provisioning** > **Get started**
    3. Set **Provisioning Mode** to **Automatic**
    4. Enter the **SCIM Base URL** as the **Tenant URL** and **Bearer Token** as the **Secret Token**
    5. Click **Test Connection** to verify
    6. Review the default attribute mappings (email, first name, last name)
    7. Set the provisioning scope and start provisioning
  </Accordion>
</AccordionGroup>

#### Step 3: Verify

After configuration, test the sync:

1. Assign a test user to the Conduit application in your IdP
2. Wait for the provisioning cycle (or trigger a manual sync)
3. Verify the user appears in **Settings** > **Members** in Conduit
4. Unassign the test user from the IdP
5. Verify the user is deactivated in Conduit

### Current Limitations

* **Group sync** is not yet supported. Users are provisioned individually, not by group membership.
* **Custom attribute mapping** is not available. Only the standard attributes listed above are synced.
* **Role mapping** is not synced from IdP. Roles (Admin, Member) are still managed within Conduit.
* Synced attributes are read-only in Conduit. Changes must be made in the IdP.

## Member Management with SSO

### Without Directory Sync

If you're using SSO without Directory Sync, members must still be invited manually:

1. Go to **Settings** > **Members**
2. Click **Add** and enter the member's corporate email
3. Assign their role (Admin or Member)
4. When they log in via SSO, they'll automatically join the workspace

To revoke access without Directory Sync:

* **Remove from Conduit**: Go to **Settings** > **Members** and remove the user
* **Remove from IdP**: Unassign the user from the Conduit application in your IdP

<Warning>
  Without Directory Sync, removing a user from your IdP prevents future logins but does not automatically remove them from the Conduit workspace. Remove them from both places to fully revoke access.
</Warning>

### With Directory Sync

When Directory Sync is enabled, user lifecycle is managed from your IdP:

* **Adding members**: Assign the user in your IdP, they're automatically provisioned in Conduit
* **Removing members**: Unassign or disable the user in your IdP, they're automatically deactivated in Conduit with sessions revoked

### Role Mapping

Roles (Admin, Member) are managed within Conduit, not synced from your IdP. After a user is provisioned or authenticates via SSO, their Conduit role determines what they can access.

## Enforcing SSO

Once SSO is configured and tested, you can request SSO enforcement for your workspace. When enforced:

* All members must authenticate through your IdP
* Email/password login is disabled for the workspace
* Social login (Google, GitHub) is disabled for the workspace

Contact [support@conduit.ai](mailto:support@conduit.ai) to enable SSO enforcement.

<Note>
  We recommend testing SSO with a few members before enforcing it workspace-wide. Keep at least one admin with backup access during the transition.
</Note>

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="Can I use SSO for multiple workspaces?">
    Yes. If your organization has multiple Conduit workspaces, SSO can be configured for each one. Members authenticate once through your IdP and can access any workspace they've been invited to.
  </Accordion>

  <Accordion title="Does SSO support MFA?">
    MFA is handled by your identity provider. If your IdP requires MFA, members will complete the MFA challenge during SSO login. Conduit respects whatever authentication policies your IdP enforces.
  </Accordion>

  <Accordion title="What happens if our IdP goes down?">
    If your IdP is unreachable, members won't be able to log in via SSO. Contact Conduit support to temporarily enable backup authentication methods during an IdP outage.
  </Accordion>

  <Accordion title="Is SCIM (automated provisioning) supported?">
    Yes. Conduit supports automated user provisioning and deprovisioning via SCIM 2.0 (Directory Sync). Currently supported with Okta and Microsoft Entra ID. See the Directory Sync section above for setup instructions.
  </Accordion>

  <Accordion title="Can I restrict SSO to specific email domains?">
    Yes. SSO connections can be scoped to specific email domains, ensuring only members with matching corporate email addresses can authenticate.
  </Accordion>
</AccordionGroup>
