SSO & SCIM
Set up single sign-on and automatic directory sync with your identity provider on Enterprise.
SSO & SCIM
Enterprise organizations can connect EarlyForge to their identity provider so that members sign in through company credentials, and access is provisioned automatically as people join or leave.
SSO and SCIM are Enterprise features. They aren't available on Free, Starter, Pro, or Scale. Contact sales to enable them for your organization.
Single sign-on (SSO)
With SSO, your team signs in to EarlyForge using your identity provider instead of a separate EarlyForge password. EarlyForge supports both OIDC and SAML 2.0, so it works with the major providers — Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, and others.
The setup has three parts: verify your email domain, connect your identity provider, then have your team sign in.
1. Verify your email domain
Before SSO can apply to your users, you prove you control your company's email domain (for example, yourcompany.com). You do this by adding a DNS TXT record.
Start domain verification
In your organization's security settings, choose Add domain and enter your company email domain. EarlyForge gives you a unique TXT record value to publish.
Add the DNS TXT record
In your domain's DNS settings (with your domain registrar or DNS host), create a new TXT record using the host and value EarlyForge provided. Save it.
Confirm verification
Back in EarlyForge, click Verify. DNS changes can take a few minutes to a few hours to propagate. Once the record is found, your domain shows as verified.
Keep the TXT record in place after verification — removing it can invalidate your verified domain.
2. Connect your identity provider
Once the domain is verified, configure the connection between EarlyForge and your IdP.
Choose OIDC or SAML 2.0
Pick the protocol your IdP uses. Most modern providers support OIDC; SAML 2.0 is widely available for enterprise directories. Either works.
Create the application in your IdP
In your identity provider (Okta, Microsoft Entra ID, Google Workspace, etc.), create a new application for EarlyForge. EarlyForge supplies the values you'll need — such as the sign-in (ACS) URL and entity/redirect URLs. Copy them into your IdP's application.
Paste your IdP details into EarlyForge
Copy the corresponding values from your IdP back into EarlyForge's SSO settings — for OIDC, the issuer URL, client ID, and client secret; for SAML, the IdP sign-in URL and signing certificate.
Test and enable
Run a test sign-in to confirm the round trip works, then enable SSO for your organization.
3. Your team signs in
Once SSO is enabled, anyone whose email belongs to your verified domain signs in through your identity provider. They authenticate with your company credentials — including any multi-factor policies your IdP enforces — and land in EarlyForge with their assigned role.
SSO controls how people sign in. Their permissions inside EarlyForge are still set by their role. To manage roles automatically as well, pair SSO with SCIM below.
SCIM directory sync
SCIM keeps EarlyForge in sync with your identity provider automatically, so you manage access in one place — your IdP. EarlyForge supports SCIM 2.0.
With SCIM enabled:
- Provisioning — when someone is added to the EarlyForge app in your IdP (or to a group mapped to it), an EarlyForge account is created for them automatically.
- Deprovisioning — when someone is removed or deactivated in your IdP, their EarlyForge access is revoked automatically. No manual cleanup, no lingering accounts.
- Role sync — role assignments flow from your IdP, so group or attribute changes update a member's EarlyForge role without anyone editing it by hand.
How to set it up
Enable SCIM in EarlyForge
In your organization's settings, turn on SCIM. EarlyForge gives you a SCIM base URL and a bearer token. The token is shown once — copy it somewhere safe.
Configure provisioning in your IdP
In your identity provider's provisioning settings for the EarlyForge application, paste the SCIM base URL and bearer token. Enable user creation, updates, and deactivation.
Map users and roles
Assign the users or groups who should have access, and map your IdP's groups or attributes to EarlyForge roles. Your IdP then pushes the directory to EarlyForge.
Verify the sync
Add and remove a test user in your IdP and confirm the change appears in EarlyForge's team roster within a short window.
Treat the SCIM bearer token like a password. Store it securely, and rotate it if you suspect it has been exposed. EarlyForge keeps it encrypted and never displays it again after setup.
SSO vs. SCIM — which do I need?
- Use SSO so your team signs in with company credentials and you don't manage separate EarlyForge passwords.
- Add SCIM so accounts and roles are created and removed automatically as your directory changes.
Most enterprises enable both: SSO for authentication, SCIM for lifecycle management.
Getting started
Both features are configured during onboarding with our team. Contact sales to enable SSO and SCIM for your Enterprise organization, and we'll walk you through the IdP-specific steps.
What's next?
- Roles and permissions — the roles that SSO and SCIM assign to your members
- Manage your team — invite, suspend, and audit members manually
- Plans — what's included with Enterprise