Skip to main content

SSO & SCIM

Enterprise Single Sign-On (SSO) and automated user provisioning (SCIM) for centralized identity management.

SSO Overview

Connect MeetLoyd to your identity provider so users authenticate through your existing corporate directory.

User → Identity Provider → SAML/OIDC → MeetLoyd

Supported Providers

ProviderSAMLOIDC
Google WorkspaceYesYes
OktaYesYes
Azure AD (Entra ID)YesYes
OneLoginYesYes
Ping IdentityYesYes
Auth0YesYes
JumpCloudYesYes
Custom SAML IdPYes--
Custom OIDC IdP--Yes

Service Provider Details

When configuring your Identity Provider, use these MeetLoyd endpoints:

SettingValue
SP Entity IDhttps://app.meetloyd.com/api/sso
ACS URL (SAML)https://app.meetloyd.com/api/sso/saml
OIDC Redirect URIhttps://app.meetloyd.com/api/sso/callback/{connectionId}
info

For OIDC, the redirect URI includes your connection ID. You can find this ID in the SSO settings after creating your connection.

Google Workspace Setup

Step 1: Create SAML App in Google Admin

  1. Go to Google Admin Console
  2. Navigate to Apps > Web and mobile apps
  3. Click Add app > Add custom SAML app
  4. Enter app name "MeetLoyd" and optional description

Step 2: Copy Google IdP Details

On the "Google Identity Provider details" page, copy the SSO URL, Entity ID, and download the Certificate.

Step 3: Configure Service Provider Details

FieldValue
ACS URLhttps://app.meetloyd.com/api/sso/saml
Entity IDhttps://app.meetloyd.com/api/sso
Start URLhttps://app.meetloyd.com/login
Name ID formatEMAIL
Name IDBasic Information > Primary email

Step 4: Attribute Mapping

Google Directory AttributeApp Attribute
Primary emailemail
First namefirstName
Last namelastName

Step 5: Enable for Users

Click User access, select organizational units that should have access, and save.

Step 6: Configure MeetLoyd

  1. Go to MeetLoyd > Settings > SSO
  2. Enter the IdP Entity ID, SSO URL, and Certificate from Step 2
  3. Click Save and Enable

Step 7: Test

Click Test Connection in MeetLoyd to verify the setup.

Okta Setup

  1. In Okta Admin, go to Applications > Create App Integration
  2. Select SAML 2.0
  3. Set Single sign-on URL to https://app.meetloyd.com/api/sso/saml
  4. Set Audience URI to https://app.meetloyd.com/api/sso
  5. Set Name ID format to EmailAddress, Application username to Email
  6. Add attribute statements: email (user.email), firstName (user.firstName), lastName (user.lastName)
  7. Copy Identity Provider Issuer, SSO URL, and Certificate from the Sign On tab
  8. Enter these in MeetLoyd's SSO settings

Azure AD (Entra ID) Setup

  1. Go to Azure Portal > Microsoft Entra ID > Enterprise applications > New application > Create your own
  2. Name it "MeetLoyd" and select "Integrate any other application (Non-gallery)"
  3. Go to Single sign-on > SAML and edit Basic SAML Configuration:
    • Identifier (Entity ID): https://app.meetloyd.com/api/sso
    • Reply URL (ACS URL): https://app.meetloyd.com/api/sso/saml
    • Sign on URL: https://app.meetloyd.com/login
  4. Download the Certificate (Base64) from the SAML Certificates section
  5. Enter the values from the "Set up MeetLoyd" section into MeetLoyd's SSO settings

OIDC Configuration

For OIDC-based SSO, provide the issuer URL, client ID, client secret, and scopes (openid, profile, email) in MeetLoyd's SSO settings. Optionally configure allowed domains and JIT (Just-In-Time) provisioning.

Role Mapping

Map your identity provider groups to MeetLoyd roles in the SSO settings. For example, map "MeetLoyd-Admins" to the admin role and "MeetLoyd-Users" to member. Set a safe default role (viewer recommended) for unmapped users.

Domain Verification

Verify domain ownership for SSO:

  1. Go to Settings > SSO > Domains
  2. Click Add Domain
  3. Add the DNS TXT record shown
  4. Click Verify

SSO Enforcement

Require SSO for specific domains:

  1. Enable SSO connection
  2. Add domains to Allowed Domains
  3. Enable Enforce for Domains

Users with these email domains must use SSO -- password login will be disabled for them.

SCIM Overview

System for Cross-domain Identity Management (SCIM) enables automatic user provisioning.

Identity Provider → SCIM API → MeetLoyd

Benefits

  • Automated provisioning: Users created when added in IdP
  • Automated deprovisioning: Users removed when deleted in IdP
  • Sync groups: Team membership from IdP groups
  • Real-time updates: Changes sync immediately

Setting Up SCIM

Step 1: Enable SCIM in MeetLoyd

  1. Go to Settings > SCIM
  2. Click Enable SCIM Provisioning
  3. Copy the generated SCIM Base URL (https://app.meetloyd.com/scim/v2) and Bearer Token

Step 2: Configure Your IdP

Google Workspace SCIM

  1. In Google Admin, go to Apps > Web and mobile apps
  2. Click on your MeetLoyd SAML app > Auto-provisioning > Set up auto-provisioning
  3. Enter the Endpoint URL and Bearer Token from MeetLoyd

Okta SCIM

  1. In your MeetLoyd app, go to Provisioning > Configure API Integration
  2. Check Enable API Integration
  3. Enter the Base URL and API Token
  4. Enable Create Users, Update User Attributes, and Deactivate Users

Azure AD SCIM

  1. In your Enterprise Application, go to Provisioning
  2. Set Mode to Automatic
  3. Enter the Tenant URL and Secret Token
  4. Test Connection and Save

SCIM Activity Logs

Monitor SCIM operations from Settings > SCIM > Activity Log. View all provisioning operations with status and details.

Rotate SCIM Token

Generate a new token from the SCIM settings page. The old token remains valid for 24 hours, giving you time to update your IdP.

Troubleshooting

IssueResolution
"SAML Response Invalid"Check IdP certificate is correctly pasted (include BEGIN/END lines). Verify ACS URL matches exactly. Check system clocks are in sync (SAML has a 5-minute time window). Ensure Name ID format matches (EMAIL recommended).
"User Not Provisioned"Check JIT provisioning is enabled. Verify email domain is in allowed list. Check attribute mapping for email claim.
"Group Sync Not Working"Verify groups claim is in SAML response. Check role mapping configuration. Ensure IdP sends group memberships in assertion.
SCIM ErrorsCheck the Activity Log in Settings > SCIM. Common issues: 401 (token expired), 400 (missing required fields), 409 (user already exists).
Best Practices
  1. Test before enforcement -- Start with SSO optional, test with pilot users, then enable enforcement
  2. Keep a backup admin -- Always have at least one admin who can login without SSO for emergencies
  3. Map roles carefully -- Use a safe default role (viewer) for unmapped users
  4. Monitor SCIM sync -- Review the SCIM Activity Log regularly to catch sync issues early

Next: Learn about Approvals for human oversight of sensitive operations.