Provide secure, authenticated access using your existing login process. No new accounts to create, no passwords to manage, and no extra admin overhead.
Extend your existing identity system to AI agents with SAML 2.0, SCIM, and role-based access
Scale AI access to thousands of users without creating or managing new accounts
Give clients secure, role-based access to the AI agents built for them
Let students access AI tools with the university login they already use
Give partners access to the right agents so each group sees only relevant content
Provide contractors and citizens secure access through a government-approved identity provider
Your IT team configures access via the dashboard.
Choose your method:
End User IdP Login is available on Enterprise plans for organizations that need secure, role-based access at scale.
Learn more about this feature in our docs.
A feature that lets end-users (partners, vendors, students) access specific AI agents by authenticating through their corporate Identity Provider, without needing a CustomGPT account.
IdP-based end-user access is available exclusively to Enterprise customers with SSO already configured.
Any SAML 2.0 compliant Identity Provider works, including Microsoft Entra ID, Okta, Google Workspace, and PingOne.
No. Regular SSO lets your internal team members log into CustomGPT with corporate credentials. IdP-based end-user access lets end-users access specific agents without becoming CustomGPT users at all.
No. You must have SSO already set up for your CustomGPT Enterprise account before enabling IdP-based end-user access.
Go to My Profile → SSO tab, enter the IdP attribute name you want to use for role mapping, and copy the unique portal login URL to share with end-users.
An attribute is a piece of information your IdP sends about each user — like department, group, or custom field. You configure your IdP to send an attribute which value will matche a role name in CustomGPT.
Yes. Create a role in Teams → Roles with a name that exactly matches the IdP attribute value. The role should be set to “local” scope and have chat-only permissions with specific agents assigned.
Yes. Create multiple roles with different names, each assigned to different agents. Configure your IdP to send the appropriate attribute value for each user group.
Copy the unique portal login URL from your SSO settings and share it via email, intranet, or any communication channel. This URL is specific to your organization.
The portal inherits your agent’s appearance settings including colors and branding, providing a consistent experience for end-users.
Professors create separate roles for each class (e.g., “biology-101”, “history-202”), assign class-specific agents to each role, and students access via campus SSO with their class enrollment determining which agents they see.
Create a role matching your partner organization’s IdP attribute, assign relevant agents (product documentation, support tools, collaboration assistants), and partners access through their existing corporate login.
Yes. Create a contractor role, assign onboarding agents, and contractors authenticate via their employer’s IdP to access training and documentation agents.
Yes, if your customers use a corporate IdP. B2B companies can give their enterprise customers secure access to support agents or product assistants without managing individual accounts.
They’re redirected to their corporate login page, authenticate with their usual credentials, and land directly on the agent (if one) or a portal showing available agents (if multiple).
Each session lasts 24 hours from initial login. After expiration, users simply log in again through the same portal URL.
No. End-users authenticate entirely through their corporate IdP. They never create a CustomGPT account or password.
No. Since no account is created, conversation history is not retained for end-user users between sessions. Each session starts fresh.
They see a portal page listing all agents their role permits, and can click to enter any of them.
Yes. If they have access to multiple agents, they can return to the portal and select a different agent within the same 24-hour session.
No. end-user sessions are restricted to chat-only access on assigned agents. Any attempt to access dashboard, settings, or other areas redirects them back to the agent portal.
They see an “unauthorized” error page and cannot access any agents.
No. End-users remain completely anonymous — no account is created. Their conversations appear as anonymous in your analytics.
Conversation data is stored like any other chat, but no personal user data is retained — sessions are anonymous.
Access is controlled through your IdP. Remove the user from the relevant group or change their attribute value in your IdP, and they’ll lose access on their next login attempt.
Sessions are tied to IdP authentication. Sharing the portal URL doesn’t grant access — each user must authenticate through the IdP with valid credentials.
All conversations are stored within your CustomGPT project like regular chats, following your existing data retention and security policies.
Yes. end-user sessions appear in your analytics. Conversations are marked as anonymous but you can track session volume and engagement.
No. By design, end-users are anonymous. You can see conversation content but not individual user identities.
Yes. Queries from end-user sessions count toward your Enterprise plan’s query allocation like any other usage.
Either their IdP isn’t sending the expected attribute, or the attribute value doesn’t match any role name exactly. Check your IdP configuration and verify the role name matches precisely.
The matched role likely is not “Chat-Only Role” and doesn’t have “create conversation” permission enabled. Edit the role in Teams → Roles to enable chat permissions.
Verify SSO is properly configured, the IdP attribute name is entered correctly in your SSO settings, and the feature is enabled on your Enterprise plan.
The matched role has no agents assigned, or the assigned agents have been deleted. Check the role configuration in Teams → Roles.
Yes. Set your agent to Private visibility, select “Enabled (IdP)” under Private Agent Deployment in the Security tab, then copy the embed code from Deploy. The same role-based access controls apply – users authenticate via a popup without leaving your page.
A “Sign in to chat” button on the widget. Clicking it opens a popup with their organization’s login page – not a CustomGPT.ai login. After authenticating, the popup closes and the chat interface appears.
Your identity system is already in place. Your users are already in it. Now connect them to your chosen AI agents.
