Enterprise capability

Single Sign-On (SAML / OIDC)

Your IdP. Your access policies. Zero local passwords.

Federated identity for LLM Gateway: SAML 2.0 and OpenID Connect, certified for Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, and any compliant IdP. SCIM 2.0 provisioning auto-creates accounts on first login and de-provisions on user removal from your directory — no manual off-boarding. Group-to-role mappings let you grant Admin / Member / Viewer based on AD groups, so access is governed entirely by your existing identity system. Enforce SSO-only mode to block password and passkey logins for your domain.

Why teams turn it on

Universal IdP support

SAML 2.0 and OIDC: Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, Auth0, and any compliant provider.

SCIM auto-provisioning

Users created on first login. Removed users de-provisioned within minutes via SCIM 2.0. No manual cleanup.

Group-based role mapping

Map IdP groups to LLM Gateway roles (Admin / Member / Viewer). Access changes the moment your directory changes.

SSO-only enforcement

Disable password + passkey logins for your domain. Every authentication path is your IdP — no shadow accounts.

How it works

From decision to deployed in three short steps

  1. 01

    Add your IdP metadata

    Paste your SAML metadata URL or OIDC discovery endpoint. We auto-detect endpoints and certificates.

  2. 02

    Map groups to roles

    Create rules: `ai-admins → Admin`, `engineering → Member`, `finance → Viewer`. Multiple group memberships escalate to highest role.

  3. 03

    Enforce SSO-only

    Toggle SSO-only mode for your verified email domain. Password and passkey logins are now blocked for that domain.

Real-world use cases

Why customers actually adopt this

01

Zero-touch onboarding

New engineer joins the AI team in Okta. They log in to LLM Gateway with their SSO; account provisions, role assigned, ready in seconds.

02

Instant off-boarding

Engineer leaves. Removed from Okta. Within minutes, their LLM Gateway session is revoked and their account de-provisioned.

03

Audit-clean access reviews

Quarterly access reviews are trivial — the source of truth is your IdP, and [[audit-logs]] records every role change.

Frequently asked

Do you support SCIM provisioning?
Yes, full SCIM 2.0. Users, groups, role assignments, and de-provisioning all flow through SCIM if your IdP supports it.
What happens to existing accounts when we enable SSO-only?
Existing accounts on your domain are migrated to SSO at next login. Local credentials are deactivated; the user's data, API keys, and project memberships are preserved.

More enterprise capabilities

The rest of the enterprise stack

Organization-Wide Analytics

Cost, requests, and tokens totaled across every project, with breakdowns by model, project, API key, and member. Built on pre-aggregated rollups, so any date range stays fast.

Per-Member Budgets & Developer Role

Per-member spend caps enforced at request time, org-wide default developer limits, and a project-scoped Developer role. An over-budget request is rejected before it ever reaches a provider.

Enterprise Audit Logs

Tamper-evident audit trails for SOC 2, HIPAA, ISO 27001, and internal investigations. Every config change, key rotation, and admin action — captured, attributed, exportable.

Per-Project Routing Overrides

Override global routing rules at the project level — region, provider order, fallback chain, and cost ceilings. Production stays pinned; experimental teams stay flexible.

Enterprise Guardrails

Server-side detection for prompt injection, PII, secrets, and policy violations. Configured centrally, enforced at the gateway, auditable per-request.

Discord & Slack Alerts

Native webhook integrations for Discord and Slack. Get the enterprise contact-sales form, billing events, guardrail trips, and SLA breaches in the channels your team already monitors.

White-Label Chat & Playground

Embed or stand up a fully white-labeled chat app and playground under your own domain. Customize branding, default models, system prompts, and feature toggles.

Provider Compliance Policies

Define the certifications and data policies your providers must meet — SOC 2, ISO 27001, GDPR, no prompt training, no prompt logging — and the gateway refuses to route to anything that doesn't qualify.

See single sign-on (saml / oidc) on your real workloads

Bring a sample workload to a 30-minute call. We'll wire it up live and show you the actual experience your team will get.