SSO & SCIM
Enterprise Single Sign-On (SSO) and automated user provisioning (SCIM) for centralized identity management.
SSO Overview
Connect MeetLoyd to your identity provider so users authenticate through your existing corporate directory.
User → Identity Provider → SAML/OIDC → MeetLoyd
Supported Providers
| Provider | SAML | OIDC |
|---|---|---|
| Google Workspace | Yes | Yes |
| Okta | Yes | Yes |
| Azure AD (Entra ID) | Yes | Yes |
| OneLogin | Yes | Yes |
| Ping Identity | Yes | Yes |
| Auth0 | Yes | Yes |
| JumpCloud | Yes | Yes |
| Custom SAML IdP | Yes | -- |
| Custom OIDC IdP | -- | Yes |
Service Provider Details
When configuring your Identity Provider, use these MeetLoyd endpoints:
| Setting | Value |
|---|---|
| SP Entity ID | https://app.meetloyd.com/api/sso |
| ACS URL (SAML) | https://app.meetloyd.com/api/sso/saml |
| OIDC Redirect URI | https://app.meetloyd.com/api/sso/callback/{connectionId} |
For OIDC, the redirect URI includes your connection ID. You can find this ID in the SSO settings after creating your connection.
Google Workspace Setup
Step 1: Create SAML App in Google Admin
- Go to Google Admin Console
- Navigate to Apps > Web and mobile apps
- Click Add app > Add custom SAML app
- Enter app name "MeetLoyd" and optional description
Step 2: Copy Google IdP Details
On the "Google Identity Provider details" page, copy the SSO URL, Entity ID, and download the Certificate.
Step 3: Configure Service Provider Details
| Field | Value |
|---|---|
| ACS URL | https://app.meetloyd.com/api/sso/saml |
| Entity ID | https://app.meetloyd.com/api/sso |
| Start URL | https://app.meetloyd.com/login |
| Name ID format | |
| Name ID | Basic Information > Primary email |
Step 4: Attribute Mapping
| Google Directory Attribute | App Attribute |
|---|---|
| Primary email | |
| First name | firstName |
| Last name | lastName |
Step 5: Enable for Users
Click User access, select organizational units that should have access, and save.
Step 6: Configure MeetLoyd
- Go to MeetLoyd > Settings > SSO
- Enter the IdP Entity ID, SSO URL, and Certificate from Step 2
- Click Save and Enable
Step 7: Test
Click Test Connection in MeetLoyd to verify the setup.
Okta Setup
- In Okta Admin, go to Applications > Create App Integration
- Select SAML 2.0
- Set Single sign-on URL to
https://app.meetloyd.com/api/sso/saml - Set Audience URI to
https://app.meetloyd.com/api/sso - Set Name ID format to EmailAddress, Application username to Email
- Add attribute statements: email (user.email), firstName (user.firstName), lastName (user.lastName)
- Copy Identity Provider Issuer, SSO URL, and Certificate from the Sign On tab
- Enter these in MeetLoyd's SSO settings
Azure AD (Entra ID) Setup
- Go to Azure Portal > Microsoft Entra ID > Enterprise applications > New application > Create your own
- Name it "MeetLoyd" and select "Integrate any other application (Non-gallery)"
- Go to Single sign-on > SAML and edit Basic SAML Configuration:
- Identifier (Entity ID):
https://app.meetloyd.com/api/sso - Reply URL (ACS URL):
https://app.meetloyd.com/api/sso/saml - Sign on URL:
https://app.meetloyd.com/login
- Identifier (Entity ID):
- Download the Certificate (Base64) from the SAML Certificates section
- Enter the values from the "Set up MeetLoyd" section into MeetLoyd's SSO settings
OIDC Configuration
For OIDC-based SSO, provide the issuer URL, client ID, client secret, and scopes (openid, profile, email) in MeetLoyd's SSO settings. Optionally configure allowed domains and JIT (Just-In-Time) provisioning.
Role Mapping
Map your identity provider groups to MeetLoyd roles in the SSO settings. For example, map "MeetLoyd-Admins" to the admin role and "MeetLoyd-Users" to member. Set a safe default role (viewer recommended) for unmapped users.
Domain Verification
Verify domain ownership for SSO:
- Go to Settings > SSO > Domains
- Click Add Domain
- Add the DNS TXT record shown
- Click Verify
SSO Enforcement
Require SSO for specific domains:
- Enable SSO connection
- Add domains to Allowed Domains
- Enable Enforce for Domains
Users with these email domains must use SSO -- password login will be disabled for them.
SCIM Overview
System for Cross-domain Identity Management (SCIM) enables automatic user provisioning.
Identity Provider → SCIM API → MeetLoyd
Benefits
- Automated provisioning: Users created when added in IdP
- Automated deprovisioning: Users removed when deleted in IdP
- Sync groups: Team membership from IdP groups
- Real-time updates: Changes sync immediately
Setting Up SCIM
Step 1: Enable SCIM in MeetLoyd
- Go to Settings > SCIM
- Click Enable SCIM Provisioning
- Copy the generated SCIM Base URL (
https://app.meetloyd.com/scim/v2) and Bearer Token
Step 2: Configure Your IdP
Google Workspace SCIM
- In Google Admin, go to Apps > Web and mobile apps
- Click on your MeetLoyd SAML app > Auto-provisioning > Set up auto-provisioning
- Enter the Endpoint URL and Bearer Token from MeetLoyd
Okta SCIM
- In your MeetLoyd app, go to Provisioning > Configure API Integration
- Check Enable API Integration
- Enter the Base URL and API Token
- Enable Create Users, Update User Attributes, and Deactivate Users
Azure AD SCIM
- In your Enterprise Application, go to Provisioning
- Set Mode to Automatic
- Enter the Tenant URL and Secret Token
- Test Connection and Save
SCIM Activity Logs
Monitor SCIM operations from Settings > SCIM > Activity Log. View all provisioning operations with status and details.
Rotate SCIM Token
Generate a new token from the SCIM settings page. The old token remains valid for 24 hours, giving you time to update your IdP.
Troubleshooting
| Issue | Resolution |
|---|---|
| "SAML Response Invalid" | Check IdP certificate is correctly pasted (include BEGIN/END lines). Verify ACS URL matches exactly. Check system clocks are in sync (SAML has a 5-minute time window). Ensure Name ID format matches (EMAIL recommended). |
| "User Not Provisioned" | Check JIT provisioning is enabled. Verify email domain is in allowed list. Check attribute mapping for email claim. |
| "Group Sync Not Working" | Verify groups claim is in SAML response. Check role mapping configuration. Ensure IdP sends group memberships in assertion. |
| SCIM Errors | Check the Activity Log in Settings > SCIM. Common issues: 401 (token expired), 400 (missing required fields), 409 (user already exists). |
- Test before enforcement -- Start with SSO optional, test with pilot users, then enable enforcement
- Keep a backup admin -- Always have at least one admin who can login without SSO for emergencies
- Map roles carefully -- Use a safe default role (viewer) for unmapped users
- Monitor SCIM sync -- Review the SCIM Activity Log regularly to catch sync issues early
Next: Learn about Approvals for human oversight of sensitive operations.