When to Use What
| Capability | Password | SSO | SSO + SCIM |
|---|---|---|---|
| Centralized access control | ✔️ | ✔️ | |
| Enforce corporate credentials | ✔️ | ✔️ | |
| Eliminate separate passwords | ✔️ | ✔️ | |
| Automatic user provisioning | ✔️ | ||
| Automatic user deprovisioning | ✔️ | ||
| Group-based role assignment | ✔️ | ||
| Real-time directory updates | ✔️ |
Supported Protocols
| Protocol | Details |
|---|---|
| SAML 2.0 | Full support for SP-initiated and IdP-initiated SSO flows |
| OpenID Connect (OIDC) | OAuth 2.0 authorization code grant with ID tokens |
| SCIM 2.0 | Automated user and group provisioning and deprovisioning |
Supported Identity Providers
Exec integrates with any identity provider that supports SAML 2.0 or OpenID Connect. The following providers have been tested and have guided setup documentation available:| Provider | SSO | Directory Sync (SCIM) |
|---|---|---|
| Okta | ✔️ | ✔️ |
| Microsoft Entra ID (Azure AD) | ✔️ | ✔️ |
| Google Workspace | ✔️ | ✔️ |
| OneLogin | ✔️ | ✔️ |
| PingFederate | ✔️ | ✔️ |
| PingOne | ✔️ | |
| JumpCloud | ✔️ | ✔️ |
| Duo | ✔️ | |
| AD FS | ✔️ | |
| Rippling | ✔️ | ✔️ |
| CyberArk | ✔️ | ✔️ |
| Any SAML 2.0 / OIDC provider | ✔️ | |
| Any SCIM 2.0 provider | ✔️ |
If your identity provider is not listed above, contact your Exec account representative. We can support any provider that implements SAML 2.0, OIDC, or SCIM 2.0 standards.
How It Works
Single Sign-On (SSO)
SSO allows your employees to access Exec using their existing corporate credentials through your organization’s identity provider. Once SSO is enabled for a workspace, it becomes the mandatory authentication method for all users in that workspace.| Behavior | Description |
|---|---|
| Mandatory once enabled | When SSO is turned on for a workspace, it is the only way to authenticate. All users must sign in through the identity provider. |
| No JIT provisioning | SSO alone does not automatically create user accounts. Users must both be allowed in the identity provider and invited into Exec. For automatic account creation, enable Directory Sync (SCIM). |
| SP and IdP initiated | Users can sign in from the Exec login page (SP-initiated) or from their identity provider dashboard (IdP-initiated). |
Directory Sync (SCIM)
Directory Sync provides automated user lifecycle management by connecting Exec to your organization’s directory. When an employee is added to or removed from the appropriate group in your identity provider, their Exec account is automatically provisioned or deprovisioned.| Behavior | Description |
|---|---|
| Auto-provisioning | Users assigned to the Exec application in your identity provider are automatically created in the Exec workspace. |
| Auto-deprovisioning | Users removed from the Exec application in your identity provider are automatically deactivated in Exec. |
| Group sync | Groups from your directory are synced to Exec, enabling group-based role assignment and access control. |
| Requires SSO | Directory Sync is designed to work alongside SSO. If you enable SCIM, SSO should also be enabled to ensure a seamless authentication experience. |
Getting Started
Exec uses WorkOS to power SSO and Directory Sync setup. WorkOS provides a guided, self-service Admin Portal that walks your IT team through configuration with step-by-step instructions specific to your identity provider.Contact Your Account Representative
Reach out to your Exec account representative to request SSO or Directory Sync setup.
Receive Your Setup Link
Your IT admin will receive a link to the WorkOS Admin Portal with guided, step-by-step instructions for your specific identity provider.
Frequently Asked Questions
Can users still log in with a password after SSO is enabled?
Can users still log in with a password after SSO is enabled?
No. Once SSO is enabled for a workspace, all users must authenticate through your identity provider. Password-based login is no longer available for that workspace.
Do we need SCIM if we already have SSO?
Do we need SCIM if we already have SSO?
No, SCIM is optional. SSO alone provides centralized authentication. SCIM adds automated provisioning and deprovisioning, which is recommended for organizations that want to reduce manual user management.
Is MFA supported?
Is MFA supported?
Exec relies on your identity provider for multi-factor authentication. When SSO is enabled, your organization’s MFA policies are enforced through your identity provider during the authentication flow.
What identity providers do you support?
What identity providers do you support?
We support any provider that implements SAML 2.0 or OpenID Connect, which covers virtually all enterprise identity providers. See the full list above.