SSO and Directory Sync are available on Enterprise plans. Workspace admins can set up and manage SSO directly from Settings > Security without contacting support.
When to Use What
| Capability | Password | SSO | SSO + SCIM |
|---|---|---|---|
| Centralized access control | ✔️ | ✔️ | |
| Enforce corporate credentials | ✔️ | ✔️ | |
| Eliminate separate passwords | ✔️ | ✔️ | |
| Automatic user provisioning | ✔️ | ||
| Automatic user deprovisioning | ✔️ | ||
| Group-based role assignment | ✔️ | ||
| Real-time directory updates | ✔️ |
Supported Protocols
| Protocol | Details |
|---|---|
| SAML 2.0 | Full support for SP-initiated and IdP-initiated SSO flows |
| OpenID Connect (OIDC) | OAuth 2.0 authorization code grant with ID tokens |
| SCIM 2.0 | Automated user and group provisioning and deprovisioning |
Supported Identity Providers
Exec integrates with any identity provider that supports SAML 2.0 or OpenID Connect. The following providers have been tested and have guided setup documentation available:| Provider | SSO | Directory Sync (SCIM) |
|---|---|---|
| Okta | ✔️ | ✔️ |
| Microsoft Entra ID (Azure AD) | ✔️ | ✔️ |
| Google Workspace | ✔️ | ✔️ |
| OneLogin | ✔️ | ✔️ |
| PingFederate | ✔️ | ✔️ |
| PingOne | ✔️ | |
| JumpCloud | ✔️ | ✔️ |
| Duo | ✔️ | |
| AD FS | ✔️ | |
| Rippling | ✔️ | ✔️ |
| CyberArk | ✔️ | ✔️ |
| Any SAML 2.0 / OIDC provider | ✔️ | |
| Any SCIM 2.0 provider | ✔️ |
If your identity provider is not listed above, reach out to us at [email protected]. We can support any provider that implements SAML 2.0, OIDC, or SCIM 2.0 standards.
How It Works
Single Sign-On (SSO)
SSO allows your employees to access Exec using their existing corporate credentials through your organization’s identity provider. Once SSO is enabled for a workspace, it becomes the mandatory authentication method for all users in that workspace.| Behavior | Description |
|---|---|
| Mandatory once enabled | When SSO is turned on for a workspace, it is the only way to authenticate. All users must sign in through the identity provider. |
| No JIT provisioning | SSO alone does not automatically create user accounts. Users must both be allowed in the identity provider and invited into Exec. For automatic account creation, enable Directory Sync (SCIM). |
| SP and IdP initiated | Users can sign in from the Exec login page (SP-initiated) or from their identity provider dashboard (IdP-initiated). |
Directory Sync (SCIM)
Directory Sync provides automated user lifecycle management by connecting Exec to your organization’s directory. When an employee is added to or removed from the appropriate group in your identity provider, their Exec account is automatically provisioned or deprovisioned.| Behavior | Description |
|---|---|
| Auto-provisioning | Users assigned to the Exec application in your identity provider are automatically created in the Exec workspace. |
| Auto-deprovisioning | Users removed from the Exec application in your identity provider are automatically deactivated in Exec. |
| Group sync | Groups from your directory are synced to Exec, enabling group-based role assignment and access control. |
| Requires SSO | Directory Sync is designed to work alongside SSO. If you enable SCIM, SSO should also be enabled to ensure a seamless authentication experience. |
Setting Up SSO
Workspace admins can set up SSO directly from the Exec dashboard. The setup process walks you through domain verification, identity provider configuration, and optional directory sync.Go to Settings > Security
Navigate to Settings > Security in your Exec workspace. You’ll see the SSO setup wizard if your plan includes SSO.
Add and Verify Your Domains
Enter your company’s email domains (e.g.
acme.com). You’ll be guided through a DNS verification process to prove domain ownership. You can add multiple domains.Connect Your Identity Provider
Once at least one domain is verified, click Configure to open the WorkOS Admin Portal. Follow the step-by-step instructions for your specific identity provider (Okta, Azure AD, Google Workspace, etc.).
Disabling SSO or Directory Sync
You can disable SSO or Directory Sync at any time from Settings > Security.| Action | What Happens |
|---|---|
| Disable Directory Sync | SCIM provisioning stops. Provisioned users and groups are unlinked from the directory. SSO remains active. |
| Disable SSO | Both SSO and Directory Sync are disabled. All members revert to password-based sign-in and are unlinked from the identity provider. |
Frequently Asked Questions
Can users still log in with a password after SSO is enabled?
Can users still log in with a password after SSO is enabled?
No. Once SSO is enabled for a workspace, all users must authenticate through your identity provider. Password-based login is no longer available for that workspace.
Do we need SCIM if we already have SSO?
Do we need SCIM if we already have SSO?
No, SCIM is optional. SSO alone provides centralized authentication. SCIM adds automated provisioning and deprovisioning, which is recommended for organizations that want to reduce manual user management.
Is MFA supported?
Is MFA supported?
Exec relies on your identity provider for multi-factor authentication. When SSO is enabled, your organization’s MFA policies are enforced through your identity provider during the authentication flow.
What identity providers do you support?
What identity providers do you support?
We support any provider that implements SAML 2.0 or OpenID Connect, which covers virtually all enterprise identity providers. See the full list above.
What happens when I disable SSO?
What happens when I disable SSO?
All members revert to password-based sign-in and are unlinked from the identity provider. If Directory Sync is enabled, it is also disabled. Your verified domains are preserved so you can re-enable SSO later without re-verifying them.
Can I set a default seat type for SCIM-provisioned users?
Can I set a default seat type for SCIM-provisioned users?
Yes. In Settings > Security, you can choose whether users provisioned through SCIM are assigned full seats or basic seats by default.