grith.aidocs

SSO & SAML

enterprise

Sign-on via Okta / Azure AD / Google Workspace. Planned for v2.0.

EnterprisePlanned

ℹ️Planned for v2.0

SSO / SAML integration is in the v2.0 Enterprise roadmap. Until then, dashboard authentication uses email-based device-auth or API keys. See Authentication for the v0.1 flow.

What's planned

  • SAML 2.0 — Okta, Azure AD (Entra ID), Google Workspace, OneLogin, Ping, and any compliant IdP.
  • SCIM 2.0 — automated user provisioning and de-provisioning. New hires get a grith seat on team join; leavers lose access immediately.
  • JIT user creation — first SSO login provisions the user automatically.
  • Group → role mapping — IdP groups map to grith RBAC roles (planned; see RBAC).
  • Just-in-time access — temporary elevated roles for incident response, expiring automatically.

Integration shape (preview)

The eventual integration will look like:

  1. Admin configures SSO in the dashboard: IdP metadata URL, role mapping rules.
  2. End users sign in via https://grith.ai/sso/<team-slug>.
  3. Their grith.ai session is bound to their IdP-asserted identity.
  4. Device-auth still works for headless installs; SCIM keeps the seat list in sync.

What it will not do

  • SSO does not replace device authentication. Each developer device still goes through device-auth or API-key auth to bind to a team. SSO controls which user can run that bind, not the device-level trust model.
  • SSO does not give grith.ai access to your IdP. Standard SAML / SCIM patterns: assertions and provisioning calls only.

Timeline

Target: v2.0, late 2026. The infrastructure (multi-team account model, role plumbing) is in place; the actual SAML responder and SCIM endpoint are the remaining work.

See also

PreviousWhat's in EnterpriseNextRBAC
Last updated: 2026-05-14Edit this page on GitHub →
© 2026 grith. All rights reserved.