01 · Okta
Okta
OIDC + SAML 2.0 · SCIM 2.0 + custom attributes
§ 01 / 06
SCIM 2.0 · SAML · OIDCDirectory wiring · install day
Your directory
is the source
of truth.
exAI maps cleanly onto the IdP you already operate. SCIM 2.0 for the user lifecycle, SAML or OIDC for the login, group claims for the role binding. No bespoke identity store, no shadow user table.
This page is the install-day memory: the IdPs we have shipped against, the SCIM endpoints we expose, the assertion fields we read, and the group-to-role mapping you should commit to source control on day one. Tested against Okta, Entra ID, Google Workspace, OneLogin, Ping, and JumpCloud.
Seats provisioned
0
live across 3 IdPs · steady-state
IdPs in production
0
Okta · Entra ID · Google Workspace
Test → prod
0h
median cutover · sandbox-first runbook
Lockouts · last 90d
0
break-glass admin always retained
§ 02 / 06
Tested identity providers
Three IdPs in production.
Three step-by-step runbooks.
Each provider has a tested sandbox-first runbook, a pre-validated SAML metadata bundle, and a SCIM bearer rotation playbook. Six more IdPs are in beta cutover. The setup guide ships with a sample tenant so you can rehearse before touching prod.
02 · Entra ID
Entra ID
SAML 2.0 + OIDC · SCIM 2.0 + group-nested membership
03 · Google Workspace
Google Workspace
SAML 2.0 · SCIM 2.0 + soft-delete window
§ 03 / 06
SCIM 2.0 surface
The endpoints
your IdP expects.
exAI implements RFC 7644 with the practical extensions enterprise IdPs actually use — custom attributes, nested groups, soft-delete with re-activation, and signed webhooks. Tested against Okta UD, Entra ID lifecycle, and Google Cloud Identity.
Five resource types, full CRUD, and a Bulk endpoint sized for Workday-driven joiner / mover / leaver flows. /Users and /Groups handle the lifecycle; /Schemas and /ResourceTypes let your IdP discover the custom attribute extension at connect-time; /Bulk accepts up to 1,000 ops per request with per-op idempotency keys.
Auth is a tenant-scoped bearer token issued from the admin console, KMS-rotated every 90 days. ETags on every resource so your IdP can do safe concurrent updates. Filter parameters follow RFC 7644 §3.4.2.2 — your existing SCIM client will not need a special case for exAI.
- 01Custom attributesMap any IdP attribute into a workspace property — cost-center, manager-id, region — typed and queryable.
- 02Group-nested membershipResolve nested groups recursively. A user in eng → platform → sre lands in all three roles, not just the leaf.
- 03Soft-delete · 30-day windowDELETE flips a tombstone; sessions revoke immediately; artifacts stay queryable for 30 days, then shred.
- 04Re-activation without artifact lossPATCH active=true within the window restores the user with the same UUID — PRs, drafts, comments stay attached.
- 05Signed-webhook on every eventEach provision / update / delete fires a Webhook with HMAC-SHA256 + replay-id; consume from your IGA platform.
PATCH /scim/v2/Users/abc-123Host: scim.exai.devAuthorization: Bearer scim_***** # tenant-scoped, KMS-rotatedContent-Type: application/scim+json{"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations": [{"op": "Replace","path": "department","value": "platform"},{"op": "Add","path": "urn:ietf:params:scim:schemas:extension:exai:2.0:User:costCenter","value": "CC-4117"}]}
200 OK · ETag: W/"v17"p95 · 41 ms● webhook.fired
§ 04 / 06
SAML / OIDC · assertion mapping
Four flows.
One assertion contract.
exAI accepts every shape your enterprise tenants will throw at it: SP-initiated, IdP-initiated, OIDC PKCE, or just-in-time from the first SSO hit. The attribute mapping is declarative and committed to source control — no admin clicks, no drift.
01 · SP-initiated SAML
SP-initiated SAML
User starts at workspace.exai.dev/login, the SP issues a signed AuthnRequest, the IdP authenticates, the assertion lands at /saml/acs over HTTPS-POST.
› urn:oid:0.9.2342.19200300.100.1.3 → user.email
02 · IdP-initiated SAML
IdP-initiated SAML
User starts in the Okta / Entra dashboard tile. The IdP POSTs an unsolicited assertion to /saml/acs; the SP validates issuer, audience, and replay window.
› urn:oid:1.3.6.1.4.1.5923.1.1.1.1 → eduPersonAffiliation
03 · OIDC PKCE
OIDC PKCE
Authorization-code flow with S256 PKCE for first-party clients. Refresh tokens are rotated on every use and bound to the device fingerprint at issue time.
› openid profile email groups → id_token.claims
04 · Just-in-time provisioning
Just-in-time provisioning
First successful SAML / OIDC login auto-creates the user when SCIM hasn't yet pushed them. Attributes resolve on the assertion, role from the group claim, audit row written before the redirect.
› https://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups → role.bind
§ 05 / 06
Group-driven RBAC
Your IdP groups
are the role bindings.
exAI roles are not a side database; they are derived at assertion time from the group claim your IdP already governs. Move a person between groups in Okta — their permissions in exAI follow on the next session, not on the next sync.
Four canonical roles cover 95% of enterprise installs: workspace.member, workspace.admin, org.billing, and org.audit. The remaining 5% are custom — declared in a YAML policy file, committed to your IGA repo, and applied at the next group refresh.
Bind groups by exact name, regex, or by a graph claim. Nested memberships are resolved recursively to avoid the classic Active Directory “flat group” trap. Conflicting claims resolve to the strictest role — not the broadest — every time, with the resolution written to the audit log.
The platform team should commit scim.bindings.yml to the same repo that owns your IdP-as-code. Drift detection runs nightly; deviations surface as a ticket in your IGA tool of choice.
idp.group
exai.role · permissions
exai-engineering
workspace.member· read+write workspaces · run agents · open PRs
exai-platform-admins
workspace.admin· manage members · deploy gates · rotate secrets
exai-finance-ops
org.billing· view invoices · spend caps · budget alerts
exai-security-audit
org.audit· read-only audit log · export evidence · SIEM tap
exai-incident-response
workspace.responder· read all workspaces · freeze deploys · quarantine VMs
exai-readonly-guests
workspace.viewer· read-only · no agent runs · no exports
committed · git@acme/iga-policieschecksum · sha256:b91f…e2c0● in sync
§ 06 / 06
Decide where the directory lives
Wire it once.
Forget it.
One bearer token, one SAML metadata bundle, one YAML policy file. Joiners provision in seconds, movers re-bind on next session, leavers tombstone immediately and shred at thirty days. After install day, the only person who touches identity in exAI is the auditor pulling evidence.