Enterprise capability

Single Sign-On (SAML / OIDC)

Your IdP. Your access policies. Zero local passwords.

Federated identity for LLM Gateway: SAML 2.0 and OpenID Connect, certified for Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, and any compliant IdP. SCIM 2.0 provisioning auto-creates accounts on first login and de-provisions on user removal from your directory — no manual off-boarding. Group-to-role mappings let you grant Admin / Member / Viewer based on AD groups, so access is governed entirely by your existing identity system. Enforce SSO-only mode to block password and passkey logins for your domain.

Talk to salesTry LLM Gateway free

Why teams turn it on

Universal IdP support

SAML 2.0 and OIDC: Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, Auth0, and any compliant provider.

SCIM auto-provisioning

Users created on first login. Removed users de-provisioned within minutes via SCIM 2.0. No manual cleanup.

Group-based role mapping

Map IdP groups to LLM Gateway roles (Admin / Member / Viewer). Access changes the moment your directory changes.

SSO-only enforcement

Disable password + passkey logins for your domain. Every authentication path is your IdP — no shadow accounts.

How it works

From decision to deployed in three short steps

  1. 01

    Add your IdP metadata

    Paste your SAML metadata URL or OIDC discovery endpoint. We auto-detect endpoints and certificates.

  2. 02

    Map groups to roles

    Create rules: `ai-admins → Admin`, `engineering → Member`, `finance → Viewer`. Multiple group memberships escalate to highest role.

  3. 03

    Enforce SSO-only

    Toggle SSO-only mode for your verified email domain. Password and passkey logins are now blocked for that domain.

Real-world use cases

Why customers actually adopt this

01

Zero-touch onboarding

New engineer joins the AI team in Okta. They log in to LLM Gateway with their SSO; account provisions, role assigned, ready in seconds.

02

Instant off-boarding

Engineer leaves. Removed from Okta. Within minutes, their LLM Gateway session is revoked and their account de-provisioned.

03

Audit-clean access reviews

Quarterly access reviews are trivial — the source of truth is your IdP, and [[audit-logs]] records every role change.

Frequently asked

Do you support SCIM provisioning?
Yes, full SCIM 2.0. Users, groups, role assignments, and de-provisioning all flow through SCIM if your IdP supports it.
What happens to existing accounts when we enable SSO-only?
Existing accounts on your domain are migrated to SSO at next login. Local credentials are deactivated; the user's data, API keys, and project memberships are preserved.

More enterprise capabilities

The rest of the enterprise stack

Enterprise Audit Logs

Tamper-evident audit trails for SOC 2, HIPAA, ISO 27001, and internal investigations. Every config change, key rotation, and admin action — captured, attributed, exportable.

Per-Project Routing Overrides

Override global routing rules at the project level — region, provider order, fallback chain, and cost ceilings. Production stays pinned; experimental teams stay flexible.

Enterprise Guardrails

Server-side detection for prompt injection, PII, secrets, and policy violations. Configured centrally, enforced at the gateway, auditable per-request.

Discord & Slack Alerts

Native webhook integrations for Discord and Slack. Get the enterprise contact-sales form, billing events, guardrail trips, and SLA breaches in the channels your team already monitors.

White-Label Chat & Playground

Embed or stand up a fully white-labeled chat app and playground under your own domain. Customize branding, default models, system prompts, and feature toggles.

See single sign-on (saml / oidc) on your real workloads

Bring a sample workload to a 30-minute call. We'll wire it up live and show you the actual experience your team will get.

Book a walkthroughStart free