Enterprise SSO

Per-agent OIDC SSO (see Authentication > SSO) is enough for a single standalone. Enterprise extends it across a fleet: one identity provider, one allowlist policy, applied to every agent the control plane manages.

Capabilities

One IdP, many agents: configure Okta, Microsoft Entra ID, or any compliant SAML / OIDC provider once in the control plane; every registered standalone enforces it.
Group-based allowlists: scope agent access to IdP groups (not just emails or domains) so onboarding and offboarding flow through your existing identity workflow.
Just-in-time provisioning: first sign-in creates the user record automatically; revocation in the IdP cascades to all agents on the next token refresh.

Next steps

RBAC

Once users authenticate, control what they can do.

Audit logs

Track who signed in and what they changed.

Last modified on May 20, 2026

Multi-agent management

RBAC

Capabilities
Next steps

Get started

Guides

Standalone

Frameworks

Memory

Guardrails

Tools

Observability

Authentication

Integrations

Deploy

Reference

Enterprise

Help

Capabilities

Next steps

RBAC

Audit logs

Get started

Guides

Standalone

Frameworks

Memory

Guardrails

Tools

Observability

Authentication

Integrations

Deploy

Reference

Enterprise

Help

Documentation Index

​Capabilities

​Next steps

RBAC

Audit logs

Capabilities

Next steps