Skip to main content
Per-agent OIDC SSO (see Authentication > SSO) is enough for a single standalone. Enterprise extends it across a fleet: one identity provider, one allowlist policy, applied to every agent the control plane manages.

Capabilities

  • One IdP, many agents: configure Okta, Microsoft Entra ID, or any compliant SAML / OIDC provider once in the control plane; every registered standalone enforces it.
  • Group-based allowlists: scope agent access to IdP groups (not just emails or domains) so onboarding and offboarding flow through your existing identity workflow.
  • Just-in-time provisioning: first sign-in creates the user record automatically; revocation in the IdP cascades to all agents on the next token refresh.

Next steps

RBAC

Once users authenticate, control what they can do.

Audit logs

Track who signed in and what they changed.
Last modified on May 20, 2026