Elido
Help center

Security

SSO, SCIM, and two-factor authentication

Enable SAML SSO for your workspace, automate provisioning with SCIM, and require 2FA for everyone.

Updated 2026-05-09

Elido supports the three pillars of enterprise identity: SAML SSO (Business plan), SCIM 2.0 provisioning (Business plan), and TOTP-based 2FA (every plan, free).

Two-factor authentication#

We support TOTP via apps like 1Password, Google Authenticator, Aegis, and Authy. WebAuthn (hardware keys, Touch ID, Face ID) is on the roadmap.

Enable from Settings → Profile → Security → Two-factor authentication:

  1. Scan the QR code with your authenticator.
  2. Type the 6-digit code we generate to confirm.
  3. Save the 10 recovery codes somewhere safe — they're the only way back in if you lose your phone.

Workspace admins can require 2FA for all members. Members without 2FA enabled are locked out of the dashboard until they enrol; API keys keep working.

SAML SSO#

Available on the Business plan. We're a SAML 2.0 service provider, so any identity provider that supports SAML — Okta, Azure AD, Google Workspace, JumpCloud, OneLogin, Ory, etc. — works out of the box.

Setup:

  1. Settings → SSO → Configure SAML.
  2. Copy the ACS URL and Entity ID into your IdP.
  3. Upload the IdP's metadata XML (or paste the SSO URL + signing cert).
  4. Test with a single user — we provide a "test SSO" button that walks the full flow and shows the SAML response so you can debug attribute mapping.
  5. When everything looks right, flip Require SSO on. Existing password sessions are revoked within 5 minutes.

After enabling, all workspace members must sign in via your IdP. Owners can keep a password-only fallback for break-glass access (off by default; turn on under Advanced).

SCIM 2.0#

SCIM auto-provisions and de-provisions users when you onboard / offboard them in your IdP. Available on Business.

Setup:

  1. Settings → SCIM → Generate token. Copy the token (shown once).
  2. Paste the SCIM Base URL and bearer token into your IdP's SCIM provisioning section.
  3. Map roles via group memberships in your IdP — e.g. group elido-admins → role Admin.

Provisioning events flow through within 60 seconds. De-provisioning revokes the user's session and any API keys they personally issued.

Audit log#

Every authentication event (login, MFA challenge, SSO redirect, SCIM provisioning) lands in the audit log. Business workspaces can stream the audit log to S3 / Datadog / Splunk via webhooks.

Compliance#

We're ISO 27001 certified and SOC 2 Type II. The current attestation reports are available under NDA via trust.elido.app.

Was this helpful?
Need more? Email the team — replies within one working day.Contact support
SSO, SCIM, and two-factor authentication · Elido