Logo of CustomGPT.ai, a leader in Generative AI for business.
Try for free
Talk to sales

CustomGPT.ai Blog

How to Put an AI Chatbot Behind a Login Page

CustomGPT.ai‘s End User IdP Login feature allows you to choose which users in your existing login system can view and chat with AI chatbots, assistants, and agents you have created with CustomGPT.

TL;DR

If you want a chatbot on your site, you can embed it fast, but “behind a login page” is the real decision. End User IdP Login gates chat-only access through your IdP and routes users to the agents their role permits, without creating CustomGPT end-user accounts.

  • Start public only for truly public content
  • Use IdP auth when link-sharing risk matters
  • Map IdP attributes to role names for routing
  • Expect 24-hour sessions and anonymous analytics

Add a Chatbot

Most people mean “drop a chat widget on a website” when they say “add a chatbot.” That usually starts as a public embed, because it’s the fastest path to something users can try.

A typical rollout is: Pick the page, embed the widget, and confirm it answers the top questions your visitors already ask. Then you decide whether “public” is acceptable.

Public vs Gated

A public chatbot is fine when the knowledge behind it is meant for anyone who lands on the page. The moment the chatbot can expose partner docs, onboarding material, or internal support content, “public link” becomes a risk.

You built the chatbot, but to deploy it safely at scale you need controlled access. According to Verizon’s 2025 Data Breach Investigations Report, 22% of security incidents had credential abuse as an initial attack vector. With End User IdP Login, users authenticate via your IdP, but they do not create a CustomGPT end-user account, which avoids “public guest access” confusion.

Three Gating Patterns

“Behind login” can mean very different things depending on how strict your access requirements are. The clean way to choose is to compare patterns from weakest to strongest, based on what they actually enforce.

Pattern 1 is placing the chatbot only on pages your site already protects. Pattern 2 is domain-level control that limits where the code runs but doesn’t authenticate users. Pattern 3 is true authenticated access through Single Sign-On (SSO), where identity determines which agent a user can reach.

End User IdP Login

End User IdP Login is for situations where “anyone with the link” is not acceptable, but you also don’t want to create and manage accounts for every external user. It gates access through your existing identity provider (IdP).

This feature requires a CustomGPT Enterprise plan and an existing SSO configuration. Learn more about deploying AI agents without managing user accounts.

End-users authenticate entirely through their corporate IdP and never create a CustomGPT account or password. SSO provides centralized identity management, ensuring consistent enforcement of security policies and minimizing risks by reducing weak or reused passwords. 

How it Works

The user experience is designed to feel like “normal login” followed by immediate chat access, without exposing the CustomGPT dashboard or admin surface area. The portal also supports routing users to one agent or multiple agents based on role.

Portal flow:

  1. User visits the portal URL
  2. Authenticates via IdP (SSO)
  3. Routed to allowed agent(s) based on role
  4. Starts chatting immediately

If a user’s role permits one agent, they land directly in chat. If they have access to multiple agents, they see a simple portal page listing available agents and can choose what to open. Learn more about what external users experience.

Setup Snapshot

Before you begin: this feature is available on Enterprise plans and requires existing SSO configuration. Setup is intentionally lightweight: you map one IdP attribute to CustomGPT roles, and you share one portal login URL. This keeps access control centralized in your identity system, not in manual user management.

Admins enable the feature in the SSO settings by entering the IdP attribute name used for role mapping and copying the unique portal login URL to distribute.

In CustomGPT, you create roles whose names exactly match the IdP attribute values you send. Those roles should be chat-only with specific agents assigned, and chat permissions enabled.

If the IdP attribute is missing or doesn’t match any role name, users hit an unauthorized page. If they authenticate but “can’t chat,” the matched role typically lacks the required chat permissions.

What You Can Audit

IT and security teams usually ask two questions: “How long does access last?” and “Can we identify who said what?” End User IdP Login answers the first clearly, and is intentionally limited on the second.

Sessions last 24 hours from initial login, then users re-authenticate through the same portal URL.

A 2025 study found SSO to be an effective authentication tool for 80% of participating organizations, with an average decrease in security incidents of 35% from pre-implementation to post-implementation.

In analytics, end-user sessions appear as anonymous by design: You can monitor engagement and usage patterns, but you cannot map conversations to individual user identities.

To revoke access, remove the user from the IdP group or change their attribute value; access stops on their next login attempt. See the full guide on updating and revoking external agent access.

Example Deployment

A common example: granting temporary access to contractors or partners for onboarding or training agents, without creating CustomGPT accounts. You route users based on an IdP attribute value to an onboarding agent, give them a 24-hour authenticated session, and remove access by revoking their IdP credentials, no CustomGPT end-user account cleanup needed.

Forward to IT/Security

This is the concise proof layer most IT and security reviewers need: Protocol, entitlement mapping, session behavior, and how access is revoked. Forward it as-is to speed up approval without pulling engineers into a long thread.

  • Uses SAML 2.0 IdP authentication; supports any SAML 2.0 compliant IdP (including Microsoft Entra ID, Okta, Google Workspace, and PingOne) .
  • Access is mapped by IdP attribute → CustomGPT role name exact match, so entitlements remain defined in the IdP.
  • End-users get chat-only access to permitted agents; they cannot access the CustomGPT platform or dashboard.
  • Sessions last 24 hours and re-authentication happens through the portal URL after expiry.
  • Sharing the portal URL alone does not grant access. Access requires IdP authentication and matching role mapping.

Conclusion

If your search starts with “embed a chatbot,” do that first, but treat “behind login” as the real decision point. With 64% of users citing 24/7 availability as the main benefit of chatbots, businesses are working hard to meet these expectations while safeguarding user data. The strongest pattern is IdP-authenticated, role-mapped, chat-only access, so entitlements live in your identity system and public links stop being a security loophole.

Success looks like: your IT/security reviewer can approve the deployment because access is governed by SAML SSO and role mapping, while your web team ships without building a custom auth layer.

The global chatbot market is projected to reach $27.3 billion by 2030, but deployment security remains a critical decision point.

Ready to launch? Start your 7-day free trial to build your chatbot, then contact our team to explore Enterprise plans with IdP-gated deployment.

FAQ

How do I Add an AI Chatbot to my Website?
Start by embedding the chatbot on the page your users already visit (help center, portal home, pricing, or docs). Validate that it answers real questions from your knowledge, then decide if it can stay public or needs gated access. If you expect the chatbot to touch privileged information, treat “behind login” as the main decision, not a cosmetic tweak.
Can You Embed an AI Chatbot Into a Website?
Yes. Embedding is the common default because it’s quick and doesn’t require identity plumbing. The key is understanding that “embedded” doesn’t automatically mean “restricted.” If you need restrictions, choose one of the three gating patterns: site login pages, domain-level restrictions, or true IdP-authenticated access.
How do I Put an AI Chatbot Behind a Login Page Logged-in Users Only?
If “logged-in users only” just means “only visible inside your portal,” place the widget on pages your existing login already protects. If you need role-based access that follows your identity system, use End User IdP Login so users authenticate through your IdP, then get routed to permitted agents based on IdP attributes. You’ll need to configure SSO and create custom roles to enable this.
Portal vs Embed: Which Should I Choose?
For End User IdP Login, the authenticated experience is delivered through a portal login URL that routes users to the correct agent or agent set based on role mapping. If your primary goal is “get a chatbot on the site fast,” embed the chatbot normally. If your goal is “only authorized users can chat,” choose the portal approach.
Why Does an End-User See “Unauthorized” After Logging in?
An end-user typically sees “Unauthorized” right after logging in because your SSO setup isn’t providing the role information CustomGPT expects: either the Identity Provider (IdP) isn’t sending the correct attribute name, or the attribute value being sent doesn’t exactly match a CustomGPT role name (role matching is case-sensitive). To fix it, review your SSO configuration and confirm the attribute mapping and its values are correct.
Why Can an End-User Log in But Still Can’t Chat?
The matched role likely doesn’t have the required chat permissions enabled. Review your role permissions to ensure “create conversation” is allowed.
Why is The Portal URL Not Working?
Verify SSO is already configured for your Enterprise account, and that the IdP attribute name in your SSO settings matches what your IdP is sending.

3x productivity.
Cut costs in half.

Launch a custom AI agent in minutes.

Instantly access all your data.
Automate customer service.
Streamline employee training.
Accelerate research.
Gain customer insights.
Start free trial

Try 100% free. Cancel anytime.