Enterprise SSO for AI Platforms: SAML, OIDC & SCIM Guide
Set up enterprise SSO for your AI agent platform. Support for Okta, Azure AD, Google Workspace, and 4 more identity providers.
What you will learn
- Choose between SAML 2.0 and OIDC for your organization
- Configure SSO with Okta, Azure AD, or Google Workspace
- Set up SCIM 2.0 for automated user provisioning and deprovisioning
- Enforce SSO-only login across your AI agent platform
Why SSO for AI Platforms?
When AI agents have access to production systems, code repositories, and customer data, access control is not optional. SSO ensures that only authenticated employees can configure agents, approve actions, or view audit trails — using the same identity provider that manages the rest of your IT infrastructure.
Each team member creates a separate account with email/password. When someone leaves the company, their Dobby account stays active until someone remembers to delete it manually. Ex-employees retain agent access.
All users authenticate through your corporate SSO. When someone is offboarded in Okta, their Dobby access is automatically revoked via SCIM. Zero manual cleanup.
Supported Identity Providers
- Okta — SAML 2.0 + OIDC + SCIM 2.0
- Azure Active Directory — SAML 2.0 + OIDC + SCIM 2.0
- Google Workspace — OIDC (built-in OAuth)
- OneLogin — SAML 2.0 + OIDC
- Ping Identity — SAML 2.0 + OIDC
- Custom SAML — any SAML 2.0 compliant IdP
- Custom OIDC — any OpenID Connect compliant IdP
SAML vs OIDC — Which to Choose?
SAML 2.0 is the enterprise standard — mature, widely supported, XML-based. OIDC is the modern alternative — lightweight, JSON-based, built on OAuth 2.0. Both work well. Choose based on what your IdP recommends.
- SAML 2.0 — Best for: Okta, Azure AD, legacy enterprise IdPs. XML assertions, X.509 certificates.
- OIDC — Best for: Google Workspace, modern IdPs, mobile apps. JWT tokens, simpler integration.
- Both — All 7 supported providers work with at least one protocol. Some support both.
Setup Steps (Okta Example)
In Okta Admin Console, create a new SAML 2.0 application. Set the ACS URL to https://dobby-ai.com/api/auth/callback/saml and the Entity ID to dobby-ai-{org_id}.
Download the IdP metadata XML or copy the SSO URL, Entity ID, and X.509 certificate from Okta.
In Dobby, go to Organization Settings → SSO. Paste the IdP metadata and save. The platform validates the certificate and tests the connection.
Enable 'SSO Required' to enforce SSO-only login. Users can no longer sign in with email/password — only through the corporate IdP.
All SSO secrets (OIDC client secrets, SAML certificates) are encrypted with AES-256-GCM before storage. They never appear in logs or API responses. Key rotation is supported without downtime.
SCIM 2.0 Provisioning
SCIM (System for Cross-domain Identity Management) automates user lifecycle management. When you add a user in Okta, they are automatically created in Dobby with the correct role. When you deactivate a user in Okta, their Dobby access is revoked immediately.
- Create — new employee added in IdP → user created in Dobby with assigned role
- Update — role change in IdP → role updated in Dobby automatically
- Deactivate — employee offboarded in IdP → Dobby access revoked within minutes
- Group sync — IdP groups map to Dobby roles (admin group → admin role)
SCIM is critical for SOC 2 compliance. Auditors check that access is revoked promptly when employees leave. SCIM makes this automatic — no manual cleanup, no forgotten accounts, no access gaps.