Single Sign-On (SAML / OIDC)
Your IdP. Your access policies. Zero local passwords.
Federated identity for LLM Gateway: SAML 2.0 and OpenID Connect, certified for Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, and any compliant IdP. SCIM 2.0 provisioning auto-creates accounts on first login and de-provisions on user removal from your directory — no manual off-boarding. Group-to-role mappings let you grant Admin / Member / Viewer based on AD groups, so access is governed entirely by your existing identity system. Enforce SSO-only mode to block password and passkey logins for your domain.
Why teams turn it on
Universal IdP support
SAML 2.0 and OIDC: Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, Auth0, and any compliant provider.
SCIM auto-provisioning
Users created on first login. Removed users de-provisioned within minutes via SCIM 2.0. No manual cleanup.
Group-based role mapping
Map IdP groups to LLM Gateway roles (Admin / Member / Viewer). Access changes the moment your directory changes.
SSO-only enforcement
Disable password + passkey logins for your domain. Every authentication path is your IdP — no shadow accounts.
How it works
From decision to deployed in three short steps
- 01
Add your IdP metadata
Paste your SAML metadata URL or OIDC discovery endpoint. We auto-detect endpoints and certificates.
- 02
Map groups to roles
Create rules: `ai-admins → Admin`, `engineering → Member`, `finance → Viewer`. Multiple group memberships escalate to highest role.
- 03
Enforce SSO-only
Toggle SSO-only mode for your verified email domain. Password and passkey logins are now blocked for that domain.
Real-world use cases
Why customers actually adopt this
Zero-touch onboarding
New engineer joins the AI team in Okta. They log in to LLM Gateway with their SSO; account provisions, role assigned, ready in seconds.
Instant off-boarding
Engineer leaves. Removed from Okta. Within minutes, their LLM Gateway session is revoked and their account de-provisioned.
Audit-clean access reviews
Quarterly access reviews are trivial — the source of truth is your IdP, and [[audit-logs]] records every role change.
Frequently asked
- Do you support SCIM provisioning?
- Yes, full SCIM 2.0. Users, groups, role assignments, and de-provisioning all flow through SCIM if your IdP supports it.
- What happens to existing accounts when we enable SSO-only?
- Existing accounts on your domain are migrated to SSO at next login. Local credentials are deactivated; the user's data, API keys, and project memberships are preserved.
More enterprise capabilities
The rest of the enterprise stack
Enterprise Audit Logs
Tamper-evident audit trails for SOC 2, HIPAA, ISO 27001, and internal investigations. Every config change, key rotation, and admin action — captured, attributed, exportable.
Per-Project Routing Overrides
Override global routing rules at the project level — region, provider order, fallback chain, and cost ceilings. Production stays pinned; experimental teams stay flexible.
Enterprise Guardrails
Server-side detection for prompt injection, PII, secrets, and policy violations. Configured centrally, enforced at the gateway, auditable per-request.
Discord & Slack Alerts
Native webhook integrations for Discord and Slack. Get the enterprise contact-sales form, billing events, guardrail trips, and SLA breaches in the channels your team already monitors.
White-Label Chat & Playground
Embed or stand up a fully white-labeled chat app and playground under your own domain. Customize branding, default models, system prompts, and feature toggles.
Provider Compliance Policies
Define the certifications and data policies your providers must meet — SOC 2, ISO 27001, GDPR, no prompt training, no prompt logging — and the gateway refuses to route to anything that doesn't qualify.
See single sign-on (saml / oidc) on your real workloads
Bring a sample workload to a 30-minute call. We'll wire it up live and show you the actual experience your team will get.