Enterprise

SSO & SCIM

Federated sign-in via SAML or OIDC, and SCIM 2.0 for user provisioning. Enabled per-organization; the schema is in place and per-tenant provider config is onboarded concierge-style today.

SSO providers we support

  • SAML 2.0 — Okta, Azure AD (Entra), JumpCloud, Auth0, OneLogin, Google Workspace, custom IdPs that speak the spec.
  • OIDC — same vendors, OIDC profile. Pick whichever your IdP team prefers; the user experience is identical.

The flow

  • User hits app.advisorscrypto.com/login and enters an email at your org’s domain.
  • We resolve the email to your org via the verified domain list, redirect to your IdP, complete the federated handshake.
  • On first sign-in we provision a User row + an OrganizationMember row with a default role of viewer. Promotion to a higher role is a separate action by an org admin (or via SCIM).

SCIM 2.0

SCIM lets your IdP push user provisioning to us — create, update, deactivate. Same auth as the agent API: a bearer token, but issued at the org level via organization.scimToken rather than tied to a user.

SCIM endpoint
Base URL:  https://api.advisorscrypto.com/scim/v2
Auth:      Authorization: Bearer <organization.scimToken>
Resources: /Users, /Groups

Attribute mapping

Default Users.create mapping
{
  "userName":   "<external IdP id, used as login>",
  "name":       { "givenName": "...", "familyName": "..." },
  "emails":     [ { "value": "user@firm.com", "primary": true } ],
  "active":     true,
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "department": "Advisory"  // optional — maps to default role
  }
}

By default a SCIM-provisioned user gets the role viewer unless your IdP populates a department-to-role mapping we’ve agreed on during onboarding. SCIM deactivate sets OrganizationMember.removedAt — we don’t delete rows so the audit trail stays intact.

What ships today

  • Users.create / update / deactivate — live.
  • Users.read / list — live.
  • Groups — in progress. Group-to-role mapping is configured concierge-style today.
  • Filter expressions on List — partial (equality on userName, email, active).

Just-in-time provisioning

SAML/OIDC users are auto-created on first successful sign-in even without SCIM. SCIM is the right answer if you need deactivation to propagate immediately on IdP changes; SAML JIT is fine if you can tolerate eventual consistency.

Last updated 2026-06-15
Suggest an edit·Changelog