Single Sign-On (SSO)

Let your team log in with your company identity provider. One password, one place.

What you need

SSO is available on the Business plan and above. You will need an identity provider (IdP) that supports OpenID Connect (OIDC). That covers most major providers: Okta, Azure AD, Google Workspace, Auth0, OneLogin, and others.

OIDC setup

Go to Settings > SSO in your workspace. You will need three things from your identity provider:

Provider URL

Also called the Issuer URL or Discovery URL. It looks something like https://your-company.okta.com. Sirv AI Studio uses this to discover your provider's endpoints automatically.

Client ID

A public identifier for the Sirv AI Studio application in your IdP. You get this when you register a new OIDC application on the provider side.

Client Secret

The secret paired with your Client ID. Keep this confidential. Sirv AI Studio stores it encrypted and never exposes it in the UI after you save it.

On your identity provider, set the redirect URI to https://www.sirv.studio/api/auth/callback/oidc. Paste your three values into the SSO settings page, click Test connection, and you should see a green checkmark.

Allowed email domains

Add one or more email domains (like yourcompany.com) to restrict who can log in through SSO. Only users whose email matches an allowed domain will be able to authenticate. This prevents personal accounts from accidentally gaining access.

Auto-provisioning

When auto-provisioning is enabled, anyone who logs in through your IdP with an allowed email domain is automatically added to the workspace. No invite needed. They get the default role you configure (usually Viewer or Editor).

This is great for large teams. A new employee logs in on day one and immediately has access. When you deactivate them in your IdP, they can no longer authenticate and effectively lose access without you touching Sirv AI Studio at all.

Group-to-role mapping

If your IdP sends group claims (most do), you can map those groups to Sirv AI Studio roles. For example:

  • IdP group design-team maps to Editor.
  • IdP group marketing-leads maps to Admin.
  • IdP group external-vendors maps to Supplier.

When a user belongs to multiple IdP groups, the highest-privilege role wins. Mappings are applied on every login, so role changes in your IdP propagate automatically.

Enforcing SSO

Once SSO is working, you can enforce it by disabling password login for all non-Owner members. Toggle Require SSO in the SSO settings. After that, members must log in through your identity provider. They will not see the email/password option.

The workspace Owner is always exempt from SSO enforcement. This is a safety net so you can still access the workspace if your identity provider goes down.