SSO & SCIM. Enterprise identity, zero friction.
SAML / OIDC sign-in against any major IdP. SCIM directory sync provisions and deprovisions users automatically. Webhook secrets rotate without losing state.
- SAML / OIDC against 20+ identity providers
- SCIM directory sync — provision and deprovision automatically
- Webhook secret rotation without downtime
- Full audit trail for compliance
SCIM directory sync
Provision and deprovision in under 60 seconds
Connect your IdP directory once. Every hire, transfer, and departure propagates to Elido automatically — no IT ticket, no manual invite, no forgotten offboarding gap.
- Auto-provisioningSCIM CREATE from Okta or Entra → Elido account in under 60s
- Group-to-role mappingIdP groups map to Elido roles; changes propagate on next sync
- Instant deprovisioningSCIM DELETE or active: false → sessions revoked immediately
- API key suspensionAll user API keys suspended on offboarding — no access-after-departure gap
- AAna KovačAdmin
- BBen CarterMember
- CCarla MoraMember
- DDmitri VolkovViewer
- EErika SaloMember
- AAna KovačAdmin
- BBen CarterMember
- CCarla MoraMember
- DDmitri VolkovViewer
- EErika Salodeprovisioned
Identity providers
Works with every major IdP
Elido uses WorkOS as the SSO and SCIM broker — 20+ connections out of the box, plus Generic SAML for any SP-initiated flow. Configure the Elido application in your IdP once; Elido generates the SAML metadata XML or OIDC credentials.
Any SAML 2.0-compliant IdP works via Generic SAML. See the setup guide →
- User provisioned via SCIMokta-scim-svc10.0.1.409:12:04
- SSO login — Oktaana@corp.com91.223.4.1709:14:31
- SSO login — Azure ADben@corp.com185.46.9.209:17:08
- Webhook secret rotatedadmin@corp.com77.123.11.510:05:22
- User deprovisioned via SCIMokta-scim-svc10.0.1.414:33:51
- Role changed: Member → Adminadmin@corp.com77.123.11.515:01:09
Audit trail
Immutable identity event log
Every SSO login, SCIM provision, role change, and secret rotation is logged append-only. No admin can delete entries. Export to CSV or stream to your SIEM via API.
- Timestamp, actor, action, target, and IdP connection per event
- 12-month retention on Business; longer available on request
- API export for SOC 2, ISO 27001, DORA, and NIS2 evidence
- Failed SSO attempts logged with reason code
- IP-based alerting for SSO probing threshold
- Secret rotations reference the overlap window in the log
What you can do
- Okta, Azure AD / Entra, Google Workspace
- Email-domain → connection mapping
- SCIM user create / update / delete
- Webhook signature verification (HMAC-SHA256)
What enterprise SSO and SCIM provisioning actually requires in production
SAML redirect is table stakes. The details below cover provisioning latency, role mapping, secret rotation, and the failure modes that matter to security teams.
SAML 2.0 and OIDC sign-in via WorkOS — email-domain routing to the right IdP connection
Elido uses WorkOS as the SSO broker, which supports 20+ IdP connections including Okta, Azure AD / Entra ID, Google Workspace, OneLogin, PingFederate, and any SAML 2.0-compliant IdP. Your IT team configures the Elido application in your IdP once; Elido generates a SAML metadata XML or OIDC client credentials for the IdP setup wizard. Email-domain routing maps user email domains to the correct IdP connection — users with @yourcompany.com are automatically routed to your Okta connection without needing to select it. Multiple email domains can map to a single connection (for companies with merged entities or multiple email domains). JIT provisioning creates the Elido account on first SSO login if SCIM is not in use; if SCIM is active, JIT is disabled and the account must be provisioned via SCIM before first login.
SCIM 2.0 directory sync: automatic provisioning, deprovisioning, and group-to-role mapping
SCIM 2.0 syncs your identity provider's user directory to Elido. When a user is added to the Elido application group in Okta or Entra, Elido receives a SCIM CREATE event and provisions the user account — no IT ticket, no manual invite. User profile updates (name, email) propagate automatically. When a user is removed from the group or deactivated in the IdP, Elido receives a SCIM DELETE or PATCH (active: false) event and immediately revokes access — active sessions are invalidated, API keys belonging to the user are suspended. Group-to-role mapping lets you map your IdP groups (e.g., 'Elido Admins', 'Elido Viewers') to Elido roles (Admin, Member, Viewer). Role assignments update automatically when group membership changes in the IdP. Provisioning latency from IdP event to Elido account creation is typically under 60 seconds.
Webhook signing secrets rotate without dropping in-flight events — zero-downtime rotation procedure
Elido's SCIM webhook receiver and outbound webhook system use HMAC-SHA256 signatures to verify event authenticity. Secrets expire and need rotation — either on a schedule (recommended: 90 days) or after a suspected compromise. Zero-downtime rotation works as follows: generate a new secret in the dashboard (the old secret remains valid for 15 minutes during the overlap window), deploy the new secret to your systems, verify an incoming SCIM event is verified with the new secret, then trigger immediate expiry of the old secret. The 15-minute overlap window ensures in-flight events signed with the old secret are still processed during the deploy window. Secret rotation is logged in the audit trail with timestamp, actor (the admin who rotated), and confirmation of overlap expiry.
Full identity event log: SSO logins, provisioning events, role changes, and secret rotations
Every SSO sign-in, SCIM provision/deprovision, role assignment change, and secret rotation is logged in the workspace audit trail (Business). Each entry includes: timestamp, actor (user or SCIM service), action type, target (the affected user or resource), IdP connection used, and the workspace ID. The audit trail is append-only and immutable — no admin can delete entries. Export to CSV or query via API for SIEM ingestion. If your compliance framework requires evidence of access control events (SOC 2 Type II, ISO 27001, DORA, NIS2), the audit trail is the artifact. Retention is 12 months on Business; longer retention is available on a request basis for regulated industries.
Forced session expiry via SCIM — access revoked in under 60 seconds on IdP deactivation
When SCIM signals that a user is deactivated (employee offboarding, contractor end-of-contract), Elido immediately invalidates all of that user's active sessions and suspends their API keys. This is not dependent on session cookie TTL — Elido stores a revocation flag per user ID and checks it on every authenticated request. The time from IdP deactivation to Elido access revocation is the SCIM event delivery latency: typically under 30 seconds for Okta, under 60 seconds for Azure Entra. For high-security offboarding (e.g., a departing admin), an Elido workspace admin can also manually revoke a specific user's sessions in the dashboard before the SCIM event arrives. Manually revoked sessions and SCIM-triggered revocations both appear in the audit trail.
Enterprise security teams using Elido SSO & SCIM
Names are placeholders — real customer case studies land here as they are published.
“SCIM offboarding was the requirement our security team had from day one. When an employee is deactivated in Entra, Elido access is gone in under a minute — no manual deprovisioning ticket, no 'forgot to revoke' gap. We audited the logs after three months and found zero access-after-offboarding events.”
“We have five company email domains from two acquisitions. The email-domain → IdP routing in Elido handles all five pointing at the same Okta connection. Users from any domain hit the right SSO flow without picking from a list.”
“Secret rotation without downtime was the detail that sold us. We rotate webhook secrets quarterly as policy; the 15-minute overlap window means we can rotate during business hours with no incident risk. Every rotation is logged, audited, and referenced in our SOC 2 evidence package.”
Elido SSO & SCIM vs Bitly vs Rebrandly
SSO is available on Bitly's enterprise tier and Rebrandly's Business tier. SCIM provisioning is more limited on both. The comparison covers what each actually delivers.
| Feature | Elido | Bitly Enterprise | Rebrandly Business |
|---|---|---|---|
| SAML 2.0 SSO | Yes — WorkOS broker, 20+ IdP connections | Yes — enterprise tier | Yes — Business tier |
| OIDC SSO | Yes — alongside SAML via WorkOS | SAML only | SAML only |
| SCIM 2.0 provisioning | Full create / update / delete + group-to-role mapping | Limited — user create only, no group-to-role | Not available |
| Auto-deprovisioning on offboarding | Yes — SCIM DELETE, session revoked under 60s | Manual only | Manual only |
| Email-domain IdP routing | Yes — multiple domains per connection | Single domain per connection | Not documented |
| Audit trail for identity events | Yes — immutable, 12 months, API export | Limited audit log | Limited audit log |
| Webhook secret rotation (zero downtime) | Yes — 15-minute overlap window | Not applicable | Not applicable |
SSO & SCIM questions
Which identity providers are supported?
Elido uses WorkOS as the SSO and SCIM broker, which supports Okta, Azure AD / Entra ID, Google Workspace, OneLogin, PingFederate, Shibboleth, ADFS, JumpCloud, and any SAML 2.0-compliant IdP. OIDC connections are also supported for providers like Google Workspace and Azure. If your IdP is not on the WorkOS standard list, WorkOS's 'Generic SAML' connection type works with any SAML 2.0 SP-initiated flow. Contact us if you need a specific IdP connection not listed.
What's JIT provisioning vs SCIM provisioning?
JIT (Just-in-Time) provisioning creates a user account in Elido on their first SSO login — no pre-provisioning required. It's simpler to set up but gives no control over who can log in (anyone with a valid SSO assertion gets an account). SCIM provisioning gives your IdP control: only users in the provisioned group can log in, and accounts are created before first login. For enterprise environments where access must be pre-approved, SCIM is required. When SCIM is active, JIT provisioning is disabled.
How do SCIM group-to-role mappings work?
In workspace SSO settings, you map your IdP groups to Elido roles: e.g., 'Okta group: Elido Admins' → 'Elido role: Admin', 'Okta group: Elido Members' → 'Elido role: Member'. A user's role in Elido follows their IdP group membership — if they're moved from the Admins group to the Members group in Okta, their Elido role is downgraded on next SCIM sync (typically under 60 seconds). A user in multiple groups takes the highest-privilege role from the matching mappings.
Can SSO be required for all users, or is it optional?
SSO can be set to enforced (all users must sign in via SSO — password sign-in is disabled) or optional (users can choose SSO or email+password). On Business, enforcement is configured in workspace SSO settings. Once enforced, users who don't have an active SSO identity are locked out — ensure SCIM provisioning or JIT has seeded accounts before enabling enforcement. Admin accounts can be exempt from SSO enforcement as a break-glass mechanism; this is configurable.
What happens to API keys when a user is offboarded via SCIM?
When SCIM deactivates a user, Elido suspends all API keys that were created by that user. Suspended keys return HTTP 401 on authentication. Keys are not deleted — they remain visible to workspace admins for audit purposes, with a 'suspended — offboarded user' status label. If a service account was using a personal API key (not a workspace service key), the key suspension will break that integration — this is intentional. For production integrations, use workspace-level service keys rather than user API keys.
Is SSO available on Pro, or only Business?
SSO and SCIM are Business-only features. Pro workspaces use Elido's built-in authentication (email + password via Ory Kratos, optional Google/GitHub OAuth). If SSO is a hard requirement for your procurement approval, the Business plan is the starting point.
How do I handle SSO for a workspace that has multiple brands or sub-organizations?
Each Elido workspace has its own SSO configuration — if you run multiple workspaces (e.g., per brand, per business unit), each gets its own IdP connection and SCIM provisioning separately. Users can be members of multiple workspaces with different roles in each; their IdP identity is the same, but group-to-role mappings are evaluated per workspace. A shared Okta group can map to Admin in one workspace and Member in another.
Is there an audit trail for failed SSO attempts?
Yes. Failed SSO attempts (invalid SAML assertion, expired session, missing SCIM account when JIT is disabled) are logged in the workspace audit trail with the reason code. This is useful for diagnosing why a specific user can't log in and for detecting brute-force SSO probing. Failed attempts from IP addresses that exceed a threshold trigger a workspace alert (configurable in workspace security settings).
Keep reading
White-label portal SSO — your customers sign in to your branded dashboard via their IdP.
HMAC-signed outbound webhooks — the same secret-rotation pattern applies to outbound webhook signatures.
Workspace service keys for production API integrations — scoped to workspace, not individual users.
SOC 2, ISO 27001, EU residency, and dedicated edge — the full enterprise feature stack.