SSO & SCIM
Enterprise Single Sign-On (SSO) and automated user provisioning (SCIM) for centralized identity management.
SSO Overview
Connect MeetLoyd to your identity provider so users authenticate through your existing corporate directory.
User → Identity Provider → SAML/OIDC → MeetLoyd
Supported Providers
| Provider | SAML | OIDC |
|---|---|---|
| Google Workspace | Yes | Yes |
| Okta | Yes | Yes |
| Azure AD (Entra ID) | Yes | Yes |
| OneLogin | Yes | Yes |
| Ping Identity | Yes | Yes |
| Auth0 | Yes | Yes |
| JumpCloud | Yes | Yes |
| Custom SAML IdP | Yes | -- |
| Custom OIDC IdP | -- | Yes |
Service Provider Details
When configuring your Identity Provider, use these MeetLoyd endpoints:
| Setting | Value |
|---|---|
| SP Entity ID | https://app.meetloyd.com/api/sso |
| ACS URL (SAML) | https://app.meetloyd.com/api/sso/saml |
| OIDC Redirect URI | https://app.meetloyd.com/api/sso/callback/{connectionId} |
For OIDC, the redirect URI includes your connection ID. You can find this ID in the SSO settings after creating your connection.
Domain Verification
Verify domain ownership for SSO:
- Go to Settings > SSO > Domains
- Click Add Domain
- Add the DNS TXT record shown
- Click Verify
SSO Enforcement
Require SSO for specific domains:
- Enable SSO connection
- Add domains to Allowed Domains
- Enable Enforce for Domains
Users with these email domains must use SSO -- password login will be disabled for them.
SCIM Overview
System for Cross-domain Identity Management (SCIM) enables automatic user provisioning.
Identity Provider → SCIM API → MeetLoyd
Benefits
- Automated provisioning: Users created when added in IdP
- Automated deprovisioning: Users removed when deleted in IdP
- Sync groups: Team membership from IdP groups
- Real-time updates: Changes sync immediately
Troubleshooting
| Issue | Resolution |
|---|---|
| "SAML Response Invalid" | Check IdP certificate is correctly pasted (include BEGIN/END lines). Verify ACS URL matches exactly. Check system clocks are in sync (SAML has a 5-minute time window). Ensure Name ID format matches (EMAIL recommended). |
| "User Not Provisioned" | Check JIT provisioning is enabled. Verify email domain is in allowed list. Check attribute mapping for email claim. |
| "Group Sync Not Working" | Verify groups claim is in SAML response. Check role mapping configuration. Ensure IdP sends group memberships in assertion. |
| SCIM Errors | Check the Activity Log in Settings > SCIM. Common issues: 401 (token expired), 400 (missing required fields), 409 (user already exists). |
- Test before enforcement -- Start with SSO optional, test with pilot users, then enable enforcement
- Keep a backup admin -- Always have at least one admin who can login without SSO for emergencies
- Map roles carefully -- Use a safe default role (viewer) for unmapped users
- Monitor SCIM sync -- Review the SCIM Activity Log regularly to catch sync issues early
Next: Learn about Approvals for human oversight of sensitive operations.