SSO & SCIM

Enterprise Single Sign-On (SSO) and automated user provisioning (SCIM) for centralized identity management.

SSO Overview

Connect MeetLoyd to your identity provider:

User → Identity Provider → SAML/OIDC → MeetLoyd

Supported Providers

Provider	SAML	OIDC
Google Workspace	Yes	Yes
Okta	Yes	Yes
Azure AD (Entra ID)	Yes	Yes
OneLogin	Yes	Yes
Ping Identity	Yes	Yes
Auth0	Yes	Yes
JumpCloud	Yes	Yes
Custom SAML IdP	Yes	-
Custom OIDC IdP	-	Yes

Service Provider Details

When configuring your Identity Provider, use these MeetLoyd endpoints:

Setting	Value
SP Entity ID	`https://app.meetloyd.com/api/sso`
ACS URL (SAML)	`https://app.meetloyd.com/api/sso/saml`
OIDC Redirect URI	`https://app.meetloyd.com/api/sso/callback/{connectionId}`

Note: For OIDC, the redirect URI includes your connection ID. You can find this ID in the SSO settings after creating your connection.

Google Workspace Setup

Step 1: Create SAML App in Google Admin

Go to Google Admin Console
Navigate to Apps > Web and mobile apps
Click Add app > Add custom SAML app
Enter app details:
- App name: MeetLoyd
- Description: AI Agent Platform
- Upload MeetLoyd logo (optional)

Step 2: Configure Google IdP

On the "Google Identity Provider details" page, copy these values (you'll need them later):

SSO URL
Entity ID
Certificate (download it)

Step 3: Configure Service Provider Details

Enter MeetLoyd's Service Provider details:

Field	Value
ACS URL	`https://app.meetloyd.com/api/sso/saml`
Entity ID	`https://app.meetloyd.com/api/sso`
Start URL	`https://app.meetloyd.com/login`
Name ID format	`EMAIL`
Name ID	`Basic Information > Primary email`

Step 4: Attribute Mapping

Add these attribute mappings:

Google Directory Attribute	App Attribute
Primary email	`email`
First name	`firstName`
Last name	`lastName`

Step 5: Enable for Users

Click User access
Select organizational units that should have access
Click Save

Step 6: Configure MeetLoyd

Go to MeetLoyd > Settings > SSO
Enter the values from Step 2:
- IdP Entity ID: The Entity ID from Google
- SSO URL: The SSO URL from Google
- Certificate: Paste the certificate content
Click Save and Enable

Step 7: Test

Click Test Connection in MeetLoyd to verify the setup.

Okta Setup

Step 1: Create SAML App

In Okta Admin, go to Applications > Create App Integration
Select SAML 2.0
Configure:
- Single sign-on URL: https://app.meetloyd.com/api/sso/saml
- Audience URI: https://app.meetloyd.com/api/sso
- Name ID format: EmailAddress
- Application username: Email

Step 2: Attribute Statements

Name	Value
email	user.email
firstName	user.firstName
lastName	user.lastName

Step 3: Configure MeetLoyd

Copy from Okta's Sign On tab:

Identity Provider Issuer
Identity Provider Single Sign-On URL
X.509 Certificate

Enter these in MeetLoyd's SSO settings.

Azure AD (Entra ID) Setup

Step 1: Register Enterprise Application

Go to Azure Portal > Microsoft Entra ID
Enterprise applications > New application > Create your own
Name: MeetLoyd
Select Integrate any other application (Non-gallery)

Step 2: Configure SAML

Go to Single sign-on > SAML
Edit Basic SAML Configuration:
- Identifier (Entity ID): https://app.meetloyd.com/api/sso
- Reply URL (ACS URL): https://app.meetloyd.com/api/sso/saml
- Sign on URL: https://app.meetloyd.com/login

Step 3: Download Certificate

Download the Certificate (Base64) from the SAML Certificates section.

Step 4: Configure MeetLoyd

Use values from the "Set up MeetLoyd" section in Azure.

OIDC Configuration

For OIDC-based SSO:

const connection = await client.sso.create({
  name: 'Corporate Azure AD',
  providerType: 'oidc',

  oidcConfig: {
    issuer: 'https://login.microsoftonline.com/{tenant-id}/v2.0',
    clientId: 'your-app-client-id',
    clientSecret: 'your-app-client-secret',
    scopes: ['openid', 'profile', 'email'],
  },

  allowedDomains: ['company.com'],
  jitProvisioning: true
});

Role Mapping

Map IdP groups to MeetLoyd roles:

await client.sso.update(connection.id, {
  roleMapping: [
    { idpGroup: 'MeetLoyd-Admins', role: 'admin' },
    { idpGroup: 'MeetLoyd-Users', role: 'member' },
    { idpGroup: 'MeetLoyd-Viewers', role: 'viewer' }
  ],
  defaultRole: 'viewer'
});

SCIM Overview

System for Cross-domain Identity Management (SCIM) enables automatic user provisioning:

Identity Provider → SCIM API → MeetLoyd

Benefits

Automated provisioning: Users created when added in IdP
Automated deprovisioning: Users removed when deleted in IdP
Sync groups: Team membership from IdP groups
Real-time updates: Changes sync immediately

Setting Up SCIM

Step 1: Enable SCIM in MeetLoyd

Go to Settings > SCIM
Click Enable SCIM Provisioning
Copy the generated:
- SCIM Base URL: https://app.meetloyd.com/scim/v2
- Bearer Token: Your authentication token

Step 2: Configure Your IdP

Google Workspace SCIM

Google Workspace supports SCIM for Business Plus, Enterprise, and Education Plus plans:

In Google Admin, go to Apps > Web and mobile apps
Click on your MeetLoyd SAML app
Click Auto-provisioning > Set up auto-provisioning
Configure:
- Endpoint URL: https://app.meetloyd.com/scim/v2
- Authentication: Bearer Token
- Token: Your SCIM token from MeetLoyd

Okta SCIM

In your MeetLoyd app, go to Provisioning > Configure API Integration
Check Enable API Integration
Enter:
- Base URL: https://app.meetloyd.com/scim/v2
- API Token: Your SCIM token
Enable provisioning features:
- Create Users
- Update User Attributes
- Deactivate Users

Azure AD SCIM

In your Enterprise Application, go to Provisioning
Set Mode to Automatic
Configure:
- Tenant URL: https://app.meetloyd.com/scim/v2
- Secret Token: Your SCIM token
Test Connection and Save

SCIM Endpoints

Endpoint	Method	Description
`/scim/v2/Users`	GET	List users
`/scim/v2/Users`	POST	Create user
`/scim/v2/Users/{id}`	GET	Get user
`/scim/v2/Users/{id}`	PUT	Replace user
`/scim/v2/Users/{id}`	PATCH	Update user
`/scim/v2/Users/{id}`	DELETE	Delete user
`/scim/v2/Groups`	GET	List groups
`/scim/v2/Groups`	POST	Create group
`/scim/v2/Groups/{id}`	GET	Get group
`/scim/v2/Groups/{id}`	PUT	Replace group
`/scim/v2/Groups/{id}`	PATCH	Update group
`/scim/v2/Groups/{id}`	DELETE	Delete group
`/scim/v2/ServiceProviderConfig`	GET	SCIM capabilities
`/scim/v2/ResourceTypes`	GET	Resource schemas
`/scim/v2/Schemas`	GET	Full schemas

SCIM User Schema

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "jdoe@company.com",
  "name": {
    "givenName": "John",
    "familyName": "Doe"
  },
  "emails": [
    {
      "value": "jdoe@company.com",
      "primary": true
    }
  ],
  "active": true
}

SCIM Activity Logs

Monitor SCIM operations from the dashboard:

Go to Settings > SCIM
Click the Activity Log tab
View all provisioning operations with status and details

Rotate SCIM Token

// Generate new token
const newToken = await client.scim.rotateToken();

// Update your IdP with the new token
// Old token remains valid for 24 hours

Domain Verification

Verify domain ownership for SSO:

Go to Settings > SSO > Domains
Click Add Domain
Add the DNS TXT record shown
Click Verify

SSO Enforcement

Require SSO for specific domains:

Enable SSO connection
Add domains to Allowed Domains
Enable Enforce for Domains

Users with these email domains must use SSO - password login will be disabled.

Troubleshooting

"SAML Response Invalid"

Check IdP certificate is correctly pasted (include BEGIN/END lines)
Verify ACS URL matches exactly
Check system clocks are in sync (SAML has 5-minute time window)
Ensure Name ID format matches (EMAIL recommended)

"User Not Provisioned"

Check JIT provisioning is enabled
Verify email domain is in allowed list
Check attribute mapping for email claim

"Group Sync Not Working"

Verify groups claim is in SAML response
Check role mapping configuration
Ensure IdP sends group memberships in assertion

SCIM Errors

Check the Activity Log in Settings > SCIM for detailed error messages.

Common issues:

401 Unauthorized: Token expired or invalid
400 Bad Request: Missing required fields
409 Conflict: User already exists

Best Practices

1. Test Before Enforcement

Start with SSO optional, test with pilot users, then enable enforcement.

2. Keep Backup Admin

Always have at least one admin who can login without SSO for emergencies.

3. Map Roles Carefully

roleMapping: [
  { idpGroup: 'MeetLoyd-Admins', role: 'admin' },
  { idpGroup: 'MeetLoyd-Users', role: 'member' }
],
defaultRole: 'viewer' // Safe default

4. Monitor SCIM Sync

Review the SCIM Activity Log regularly to catch sync issues early.

Next: Learn about Approvals for human oversight of sensitive operations.

SSO Overview​

Supported Providers​

Service Provider Details​

Google Workspace Setup​

Step 1: Create SAML App in Google Admin​

Step 2: Configure Google IdP​

Step 3: Configure Service Provider Details​

Step 4: Attribute Mapping​

Step 5: Enable for Users​

Step 6: Configure MeetLoyd​

Step 7: Test​

Okta Setup​

Step 1: Create SAML App​

Step 2: Attribute Statements​

Step 3: Configure MeetLoyd​

Azure AD (Entra ID) Setup​

Step 1: Register Enterprise Application​

Step 2: Configure SAML​

Step 3: Download Certificate​

Step 4: Configure MeetLoyd​

OIDC Configuration​

Role Mapping​

SCIM Overview​

Benefits​

Setting Up SCIM​

Step 1: Enable SCIM in MeetLoyd​

Step 2: Configure Your IdP​

Google Workspace SCIM​

Okta SCIM​

Azure AD SCIM​

SCIM Endpoints​

SCIM User Schema​

SCIM Activity Logs​

Rotate SCIM Token​

Domain Verification​

SSO Enforcement​

Troubleshooting​

"SAML Response Invalid"​

"User Not Provisioned"​

"Group Sync Not Working"​

SCIM Errors​

Best Practices​

1. Test Before Enforcement​

2. Keep Backup Admin​

3. Map Roles Carefully​

4. Monitor SCIM Sync​