Docs
Team Management

Single Sign-On (SSO)

Configure SAML 2.0 or OIDC single sign-on with directory sync for your Demoship workspace.

SSO lets your team sign in to Demoship using your organization's identity provider. Available on Enterprise plans.

Supported protocols

  • SAML 2.0 -- For Okta, Azure AD, OneLogin, and other SAML-compliant providers
  • OIDC (OpenID Connect) -- For Google Workspace, Auth0, and OIDC-compliant providers

SAML 2.0 setup

  1. Go to Settings > Security > SSO.
  2. Select SAML 2.0.
  3. Enter your Identity Provider (IdP) metadata:
    • SSO URL -- Your IdP's single sign-on endpoint
    • Entity ID -- Your IdP's entity identifier
    • Certificate -- Your IdP's X.509 signing certificate
  4. Copy the Demoship ACS URL and Entity ID into your IdP's configuration.
  5. Click Test Connection to verify.
  6. Click Enable SSO.

OIDC setup

  1. Go to Settings > Security > SSO.
  2. Select OIDC.
  3. Enter your provider's configuration:
    • Issuer URL -- Your OIDC provider's issuer endpoint
    • Client ID -- The client ID from your OIDC application
    • Client Secret -- The client secret from your OIDC application
  4. Copy the Demoship Redirect URI into your OIDC application settings.
  5. Click Test Connection to verify.
  6. Click Enable SSO.

Supported providers

Demoship has been tested with:

  • Okta
  • Azure Active Directory (Entra ID)
  • Google Workspace
  • OneLogin
  • Auth0
  • PingFederate

Other SAML 2.0 or OIDC-compliant providers should work but are not officially supported.

SCIM directory sync

SCIM automates user provisioning and deprovisioning from your directory:

  1. Go to Settings > Security > SCIM.
  2. Copy the SCIM endpoint URL and Bearer token.
  3. Configure your IdP's SCIM provisioning with these values.

When SCIM is enabled:

  • New users added to the assigned group in your IdP are automatically provisioned in Demoship
  • Users removed from the group are deprovisioned and lose access
  • Role assignments sync from your directory group mappings

Just-in-time provisioning

With SSO enabled, users who authenticate via your IdP are automatically provisioned in Demoship on their first login, without requiring an invitation. Configure the default role for JIT-provisioned users in Settings > Security > SSO > Default Role.

Note: SSO and SCIM are available on Enterprise plans only. Contact sales to enable SSO for your workspace.

Roles & Permissions

Manage team access with Admin, Editor, and Viewer roles plus custom permissions for Enterprise.

Audit Logs

Track workspace activity with audit logs for compliance, security review, and troubleshooting.

On this page

Supported protocolsSAML 2.0 setupOIDC setupSupported providersSCIM directory syncJust-in-time provisioning