SSO and SCIM
Tegendo.AI supports enterprise Single Sign-On (SSO) via SAML 2.0 and OpenID Connect (OIDC), along with SCIM 2.0 for automated user provisioning and deprovisioning. This guide covers setup for both.Single Sign-On (SSO)
SSO allows your team to authenticate with Tegendo.AI using your existing identity provider (IdP). Once configured, users sign in through your IdP instead of managing a separate password.Supported identity providers
Tegendo.AI has been tested with the following providers. Any SAML 2.0 or OIDC-compliant provider should work.| Provider | Protocol | Status |
|---|---|---|
| Okta | SAML / OIDC | Verified |
| Azure AD (Entra ID) | SAML / OIDC | Verified |
| Google Workspace | OIDC | Verified |
| OneLogin | SAML | Verified |
| JumpCloud | SAML | Verified |
| PingIdentity | SAML / OIDC | Verified |
| Custom SAML 2.0 | SAML | Supported |
| Custom OIDC | OIDC | Supported |
Setting up SAML SSO
Select SAML 2.0
Click Configure SAML to begin setup. Tegendo.AI will display your:
- ACS URL (Assertion Consumer Service URL)
- Entity ID (SP Entity ID)
- Metadata URL
Configure your IdP
In your identity provider, create a new SAML application and enter the ACS URL and Entity ID from the previous step.Set the following attribute mappings:
| IdP Attribute | Tegendo.AI Field |
|---|---|
email or nameId | Email (required) |
firstName | First name |
lastName | Last name |
groups | Groups (for role mapping) |
Upload IdP metadata
Download your IdP’s metadata XML file (or copy the metadata URL) and paste it into the Tegendo.AI SAML configuration form.Alternatively, manually enter:
- IdP SSO URL — The URL where Tegendo.AI sends authentication requests
- IdP Certificate — The X.509 certificate used to verify SAML assertions
- IdP Entity ID — Your identity provider’s entity identifier
Test the connection
Click Test Connection to initiate a test login flow. You’ll be redirected to your IdP and back. If successful, you’ll see a confirmation with the authenticated user’s details.
Setting up OIDC SSO
Note the redirect URI
Tegendo.AI displays the Redirect URI that you’ll need to register in your IdP.
Register an OIDC application in your IdP
Create a new OIDC/OAuth2 application in your identity provider. Set the redirect URI to the one provided by Tegendo.AI. Note the Client ID and Client Secret.
Enter OIDC configuration
In Tegendo.AI, enter:
- Discovery URL — Your IdP’s
.well-known/openid-configurationendpoint - Client ID — From the OIDC application you created
- Client Secret — From the OIDC application you created
- Scopes —
openid email profile(default)
SCIM provisioning
SCIM (System for Cross-domain Identity Management) automates user lifecycle management. When you add or remove users from a group in your IdP, they are automatically provisioned or deprovisioned in Tegendo.AI.Setting up SCIM
Enable SCIM
Navigate to Settings > Security > SCIM and click Enable SCIM. Tegendo.AI generates:
- SCIM Base URL — The endpoint your IdP sends provisioning requests to
- Bearer Token — The authentication token for SCIM requests
Configure your IdP
In your identity provider’s SCIM provisioning settings, enter the base URL and bearer token. Configure the following provisioning actions:
- Create Users — Enabled
- Update User Attributes — Enabled
- Deactivate Users — Enabled
- Push Groups — Enabled (for role mapping)
Map attributes
Map your IdP’s user attributes to Tegendo.AI fields:
| IdP Attribute | SCIM Attribute | Required |
|---|---|---|
emails[type eq "work"].value | Yes | |
| First name | name.givenName | Yes |
| Last name | name.familyName | Yes |
| Display name | displayName | No |
Auto-provisioning users
When a user is added to a SCIM-assigned group in your IdP, Tegendo.AI automatically:- Creates a user account with the mapped attributes
- Assigns the default role (Member) unless group-to-role mapping is configured
- Sends a welcome email with instructions to sign in via SSO
Deprovisioning users
When a user is removed from all SCIM-assigned groups in your IdP, Tegendo.AI:- Deactivates the user account (the user can no longer sign in)
- Preserves the user’s conversation history and data per your retention policy
- Releases the seat from your subscription count
Deprovisioned users are soft-deleted. Their data remains accessible to admins for the configured retention period. After the retention period, data is permanently deleted.
Group-to-role mapping
Map your IdP groups to Tegendo.AI roles so that users are automatically assigned the correct permissions:- Navigate to Settings > Security > SCIM > Role Mapping
- For each IdP group, select the corresponding Tegendo.AI role:
| IdP Group | Tegendo.AI Role |
|---|---|
tegendo-admins | Admin |
tegendo-managers | Manager |
tegendo-users | Member |
tegendo-viewers | Viewer |
- Click Save Mapping
Troubleshooting
Common SSO issues
| Problem | Solution |
|---|---|
| ”Invalid SAML response” | Verify the ACS URL and Entity ID in your IdP match the values shown in Tegendo.AI |
| ”Certificate validation failed” | Re-download the IdP certificate and re-upload it |
| ”User not found” | Ensure the email attribute is mapped correctly in your IdP |
| ”SSO loop” | Clear browser cookies and try again, or check for redirect URL mismatches |
Common SCIM issues
| Problem | Solution |
|---|---|
| ”401 Unauthorized” | Regenerate the bearer token and update it in your IdP |
| ”User not provisioned” | Check that the user is in a SCIM-assigned group |
| ”Attributes not syncing” | Verify attribute mappings in your IdP’s SCIM configuration |