How do I set up SSO for my Team?

To set up SSO for your team, confirm you have admin access, choose SAML or OIDC, and configure an app in your identity provider with the ACS URL and Entity ID. Connect it to your workspace, then test with a small pilot group before enforcing SSO for everyone.

Scope:
Last updated: December 2025. Applies globally; align SSO and identity data handling with local privacy laws like GDPR and CCPA/CPRA, plus any additional regional data protection rules.

Prerequisites before you set up SSO

Before touching any settings, get these basics in place:

1. Confirm admin roles in your IdP: In systems like Microsoft Entra ID (Azure AD), you typically need a Cloud Application Administrator, Application Administrator, or similar role to configure SSO for enterprise apps. 
2. Confirm admin access in the application: You’ll need owner/admin rights wherever you’re enabling SSO (for example, your workspace or org-level security settings) so you can turn on SSO and adjust login policies.
3. Decide which protocol you’ll use: Most modern apps support SAML 2.0 and/or OpenID Connect (OIDC) on top of OAuth 2.0; these are recommended over legacy password-based or “linked” SSO flows. 
4. Clarify security and compliance requirements: Consider things like identity assurance, MFA, audit requirements, and federation patterns, in line with digital identity guidance such as NIST SP 800-63-4.
5. Scope your first rollout: Decide which apps and which user groups (e.g., IT + one department) will be part of phase one, and who will remain on local accounts temporarily.
6. Plan a rollback path: Keep at least one break-glass admin who can still sign in without SSO until you’re confident the rollout is stable.

High-level steps to configure SSO with any IdP

Most identity providers follow the same pattern when you configure SAML or OIDC SSO.

1. Create or choose an enterprise app in your IdP: In Entra ID you add an enterprise application; in Google Workspace you add a custom SAML app; in Okta you create an SSO app integration.
2. Get IdP metadata for the app: Your IdP will provide either a metadata file or values like SSO URL, Entity ID/issuer, and certificate; you’ll copy these into your application’s SSO settings.
3. Configure basic SAML/OIDC settings in the IdP: Add the Assertion Consumer Service (ACS) / redirect URL, the audience/Entity ID, and any sign-on URL that your app requires.
4. Map attributes/claims: At minimum, send user email and name; many setups also pass group or role information for authorization decisions. Apps like CustomGPT.ai explicitly require email and first name attributes in setups such as Google Workspace and Okta.
5. Assign users and groups: In the IdP, assign the right users or security groups to the new SSO app. Only assigned users will be able to sign in via SSO in integrations like Entra enterprise apps or Okta.
6. Exchange metadata with the application: Paste the IdP SSO URL / metadata into your app’s SSO page and, if required, copy back any SP metadata (ACS URL and Entity ID) into the IdP.
7. Save and run a basic sign-in test: Most IdPs provide test buttons or preview sign-in flows; use them before rolling the app out to all users.

How to do it with CustomGPT.ai

This section walks through enabling SSO for your team specifically in CustomGPT.ai.

Step 1 – Open SSO settings in CustomGPT.ai

1. Sign in to app.customgpt.ai.
2. Click your profile icon in the bottom-left and choose My Profile.
3. Open the Single Sign On (SSO) tab at the top.

This is where you’ll configure domain verification, SAML details, login policies, SCIM, and email deletion handling.

Step 2 – Add and verify your domain

1. Under Add Your Domain, enter the email domain your team uses (for example, company.com).
2. Follow the on-screen instructions to add the provided TXT record to your DNS.
3. Wait for the status to change to Verified—typically 15–20 minutes, but it can take up to 72 hours. If it’s still not verified after 72 hours, contact CustomGPT.ai support. 

Step 3 – Get ACS URL and Entity ID

1. Still on the SSO page, copy the ACS URL and Entity ID values. You’ll need these for your IdP configuration (Google Workspace, Azure, Okta, PingOne). 

Step 4 – Configure your identity provider for CustomGPT.ai

Use the CustomGPT.ai IdP-specific guides so your settings match exactly:

• Google Workspace (SAML):
  Create a custom SAML app, download IdP metadata, upload it to CustomGPT.ai, then paste the ACS URL and Entity ID from CustomGPT.ai back into Google. Map Primary email → email and First name → firstName.
• Microsoft Azure / Entra (SAML):
  Create a non-gallery enterprise application, assign users/groups, configure Single sign-on → SAML, and set the Identifier and Reply URL to the Entity ID and ACS URL from CustomGPT.ai, using the SSO setup guide.
• Okta (SAML + SCIM):
  In Okta, create a SAML 2.0 app, enter ACS and Entity ID values from CustomGPT.ai, and configure attributes for email and first name. Copy the Okta metadata URL into the Load SAML2 configuration field in CustomGPT.ai.
• PingOne (SAML + SCIM):
  In PingOne, create a SAML application, import SAML settings from CustomGPT.ai using the Entity ID/ACS URL, set attribute mappings (e.g., email, userName), then copy the IdP metadata URL back into CustomGPT.ai.

Step 5 – Import IdP SAML configuration into CustomGPT.ai

1. On the CustomGPT.ai SSO page, provide your IdP’s SAML details by either:
   • Import via URL (e.g., Okta or PingOne metadata URL),
   • Import via XML, or
   • Entering the details manually, such as SSO URL and certificate. 

Step 6 – Configure login policy, roles, SCIM, and email deletion

1. After SAML is working, customize how SSO behaves for your team:
   • Email authentication options:
     Choose between allowing sign-in only via SSO or allowing both SSO and email/password.
   • User role configuration:
     Set default roles for new users, based on your team’s role configuration, so SSO-created users get the correct permissions automatically.
   • SCIM integration:
     Enable SCIM if you want your IdP to create, update, and deactivate users automatically. The Okta and PingOne guides include the SCIM endpoint and token details. 
   • Email deletion handling:
     Choose whether deleting a user also deletes their projects or transfers them to your account (which may affect storage credits).
2. Save your settings, perform a test login via your IdP, and confirm the user lands in CustomGPT.ai with the correct role.

Test and roll out SSO to your team

Once SSO is wired up, treat rollout like a mini-project.

1. Test in a non-production or low-risk context first: Microsoft recommends testing SSO in a non-production environment or with limited scope before broad deployment.
2. Test with multiple user types: Use at least one admin and one standard user from different groups. Verify they can sign in, sign out, and access appropriate resources.
3. Verify attributes and provisioning: Confirm that email, name, and group/role claims are correct and that SCIM (if enabled) is creating and deactivating users as expected in CustomGPT.ai.
4. Pilot with a small group: Start with a pilot team (for example, IT + one department). Make sure they understand the new login flow and where to go if sign-in fails. Planning guides from Microsoft emphasize this phased approach.
5. Gradually expand and then enforce: As confidence grows, assign more groups in the IdP and eventually switch CustomGPT.ai to “SSO-only” sign-ins if that matches your policy. Keep at least one emergency account with local login until you’re comfortable.
6. Monitor logs and security signals: Use your IdP’s sign-in logs and Conditional Access policies to watch for anomalies, lockouts, or misconfigured devices.

Example — SSO rollout for a 50-person SaaS team

Imagine a 50-person SaaS company using Microsoft Entra ID as its IdP and adopting CustomGPT.ai for internal and customer-facing AI agents.

1. Plan and scope: The IT admin reviews Entra’s SSO options and deployment planning guidance, decides to use SAML, and targets 10 internal users as a pilot group. 
2. Configure Entra SSO: They create a non-gallery enterprise application, enable SAML-based SSO, and configure Reply URL and Identifier using the ACS URL and Entity ID from CustomGPT.ai’s SSO page.
3. Complete CustomGPT.ai SSO setup: The admin imports the Entra metadata into CustomGPT.ai, verifies sign-in for a single test user, then configures SSO to allow both SSO and email/password during the pilot. Default user roles are set so new SSO users join as “Members,” not owners.
4. Pilot phase: A 10-person pilot team is assigned to the Entra enterprise app. The IT admin checks that their conversations and projects are behaving as expected and that SCIM is correctly provisioning new hires from Entra into CustomGPT.ai. 
5. Full rollout and enforcement: After two weeks with no issues, the admin assigns the remaining 40 users in Entra and switches CustomGPT.ai to “SSO-only” login. One emergency local admin account is kept in reserve in case of IdP outages. 

This pattern generalizes well to other IdPs (Google Workspace, Okta, PingOne) using the corresponding CustomGPT.ai SSO guides.

Conclusion

In the end, SSO is a tradeoff between airtight security and keeping access effortless for every teammate. Customgpt.ai turns that friction into an advantage by combining enterprise-grade SAML/SCIM controls with simple, admin-friendly setup across your existing IdP.

If you’re ready to lock down access without slowing anyone down, configure a secure SSO for your CustomGPT.ai workspace today and give your team one-click, compliant access to every AI assistant they need.

FAQ’s

How do I set up SSO for my team with any identity provider?

To set up SSO for your team, first confirm you have admin rights in both your app and your identity provider. Create an enterprise or custom SAML/OIDC app, configure ACS/redirect URLs and Entity ID, and map attributes like email and name. Assign the correct users or groups, exchange metadata between the IdP and your app, then run test logins before rolling SSO out to everyone.

How do I set up SSO for my team in customgpt.ai?

In customgpt.ai, open your profile, go to the Single Sign On (SSO) tab, and add and verify your email domain. Copy the ACS URL and Entity ID, then follow the IdP-specific guide for Google Workspace, Azure, Okta, or PingOne to configure SAML and upload metadata. Back in customgpt.ai, import the IdP configuration, set login policy, roles, and optional SCIM, then test sign-in with a pilot group before enforcing SSO-only.