Today, we are killing seat-based pricing to let you provide secure, authenticated access to your thousands of users, clients or employees.
Our customers spoke: They want to give thousands of people secure access to their CustomGPT.ai agents, without paying for each seat (like ChatGPT or Claude).
Now, you can use your existing identity provider to connect directly to your CustomGPT.ai agents. Users authenticate the way they always do – through Google Workspace, Microsoft Entra ID, Okta, PingOne, or any SAML 2.0 provider – and land on the right agents automatically.
No accounts to create. No passwords to manage. No admin overhead as people join or leave. Sessions last 24 hours and no user is ever stored in CustomGPT.ai.
Now, you can give every employee / student / client secure access to your AI agents, without buying seats or provisioning accounts.
Example Scenario: 7,000 person University
Instead of paying per seat, this university can now enable custom GPTs with their institutional knowledge and make it securely accessible (using their own login system) to all their students and faculty.
No more buying 7,000 licenses of Microsoft Copilot, just to create secure custom agents.
Set it up once
Your IT team connects your IdP, maps user groups to agents, and picks a deployment method – either a single portal link that routes everyone to the right place, or an embedded agent on your website or intranet.
Your IdP handles who gets in (See setup guide).
Great fit for Enterprise like:
- Consulting firms give clients secure access to project agents through the client’s own corporate login.
- Universities connect campus SSO so students access course-specific agents based on class enrollment.
- Manufacturing companies route partners to the right product documentation based on their partnership tier.
The pattern is the same: the users already exist in your identity system. Now that system controls their AI access too.
Available Now
This is an Enterprise feature that needs to be enabled on your account. Reach out and we’ll get you set up.
Frequently Asked Questions
What is IdP-based end-user access?
A feature that lets end-users (partners, vendors, students) access specific AI agents by authenticating through their corporate Identity Provider, without needing a CustomGPT account.
Which plans include this feature?
IdP-based end-user access is available exclusively to Enterprise customers with SSO already configured.
Which Identity Providers are supported?
Any SAML 2.0 compliant Identity Provider works, including Microsoft Entra ID, Okta, Google Workspace, and PingOne.
Is this the same as regular SSO?
No. Regular SSO lets your internal team members log into CustomGPT with corporate credentials. IdP-based end-user access lets end-users access specific agents without becoming CustomGPT users at all.
Can I use this feature without SSO configured?
No. You must have SSO already set up for your CustomGPT Enterprise account before enabling IdP-based end-user access.
How do I enable this feature?
Go to My Profile → SSO tab, enter the IdP attribute name you want to use for role mapping, and copy the unique portal login URL to share with end-users.
What’s an IdP attribute?
An attribute is a piece of information your IdP sends about each user — like department, group, or custom field. You configure your IdP to send an attribute whose value will match a role name in CustomGPT.
Do I need to create new roles?
Yes. Create a role in Teams → Roles with a name that exactly matches the IdP attribute value. The role should be set to “local” scope and have chat-only permissions with specific agents assigned.
Can I give different groups access to different agents?
Yes. Create multiple roles with different names, each assigned to different agents. Configure your IdP to send the appropriate attribute value for each user group.
How do I share the portal URL with end-users?
Copy the unique portal login URL from your SSO settings and share it via email, intranet, or any communication channel. This URL is specific to your organization.
Can I customize the portal appearance?
The portal inherits your agent’s appearance settings including colors and branding, providing a consistent experience for end-users.
How do universities use this feature?
Professors create separate roles for each class (e.g., “biology-101”, “history-202”), assign class-specific agents to each role, and students access via campus SSO with their class enrollment determining which agents they see.
How do enterprises use this for partner access?
Create a role matching your partner organization’s IdP attribute, assign relevant agents (product documentation, support tools, collaboration assistants), and partners access through their existing corporate login.
Can contractors access onboarding materials through this?
Yes. Create a contractor role, assign onboarding agents, and contractors authenticate via their employer’s IdP to access training and documentation agents.
Is this suitable for customer-facing AI agents?
Yes, if your customers use a corporate IdP. B2B companies can give their enterprise customers secure access to support agents or product assistants without managing individual accounts.
What do end-users see when they click the portal URL?
They’re redirected to their corporate login page, authenticate with their usual credentials, and land directly on the agent (if one) or a portal showing available agents (if multiple).
How long does access last?
Each session lasts 24 hours from initial login. After expiration, users simply log in again through the same portal URL.
Do end-users need to create a password or profile?
No. End-users authenticate entirely through their corporate IdP. They never create a CustomGPT account or password.
Can end-users see their conversation history?
No. Since no account is created, conversation history is not retained between sessions. Each session starts fresh.
What happens if an end-user has access to multiple agents?
They see a portal page listing all agents their role permits, and can click to enter any of them.
Can end-users switch between agents during a session?
Yes. If they have access to multiple agents, they can return to the portal and select a different agent within the same 24-hour session.
Can end-users access other parts of the platform?
No. End-user sessions are restricted to chat-only access on assigned agents. Any attempt to access the dashboard, settings, or other areas redirects them back to the agent portal.
What happens if someone’s IdP attribute doesn’t match any role?
They see an “unauthorized” error page and cannot access any agents.
Are end-users created as accounts in CustomGPT?
No. End-users remain completely anonymous — no account is created. Their conversations appear as anonymous in your analytics.
Is user data from sessions stored?
Conversation data is stored like any other chat, but no personal user data is retained — sessions are anonymous.
How do I revoke access for an end-user?
Access is controlled through your IdP. Remove the user from the relevant group or change their attribute value in your IdP, and they’ll lose access on their next login attempt.
Can end-users share their session with others?
Sessions are tied to IdP authentication. Sharing the portal URL doesn’t grant access — each user must authenticate through the IdP with valid credentials.
Is data from end-user sessions kept separate?
All conversations are stored within your CustomGPT project like regular chats, following your existing data retention and security policies.
Can I see how many end-users are accessing my agents?
Yes. End-user sessions appear in your analytics. Conversations are marked as anonymous but you can track session volume and engagement.
Can I identify which end-users had which conversations?
No. By design, end-users are anonymous. You can see conversation content but not individual user identities.
Do sessions count against my query limits?
Yes. Queries from end-user sessions count toward your Enterprise plan’s query allocation like any other usage.
An end-user sees “unauthorized” — what’s wrong?
Either their IdP isn’t sending the expected attribute, or the attribute value doesn’t match any role name exactly. Check your IdP configuration and verify the role name matches precisely.
An end-user can’t chat even though they logged in — what’s wrong?
The matched role likely doesn’t have “create conversation” permission enabled. Edit the role in Teams → Roles to enable chat permissions.
The portal URL isn’t working — what should I check?
Verify SSO is properly configured, the IdP attribute name is entered correctly in your SSO settings, and the feature is enabled on your Enterprise plan.
An end-user authenticated but sees no agents — why?
The matched role has no agents assigned, or the assigned agents have been deleted. Check the role configuration in Teams → Roles.