One identity provider. One audit trail. Zero lockout anxiety.

• Okta
• Microsoft Entra ID
• Google Workspace
• Auth0

Ping, OneLogin, JumpCloud, and any generic SAML 2.0 or OpenID Connect IdP also work against the same endpoints.

• Federated single sign-on

  SAML 2.0 assertion consumer endpoints and OpenID Connect authorization-code-with-PKCE, per tenant, per protocol. Switch between SAML and OIDC without losing configuration.

• Automated provisioning

  Full SCIM 2.0 Users and Groups surface (POST, GET, PATCH, PUT, DELETE) with ETag concurrency control and RFC 7644 filter support. Plug your HR system or IdP directly into us.

• Per-tenant self-serve

  Every tenant admin configures their own IdP, rotates their own certificates, issues their own SCIM tokens. No support tickets, no operator credential sharing.

• Certificate trust pool

  Rotate SAML signing certificates without a maintenance window — old and new certificates live side by side in the trust pool until you remove the old one.

• JIT and strict mode

  Create users on first SSO login by default, or flip on strict mode to reject any subject not pre-provisioned via SCIM. Your security team picks the posture.

• Domain verification

  Route SP-initiated login to the correct tenant via DNS TXT challenge ownership. Re-verified every 90 days automatically. First-claim-wins cross-tenant collision handling.

• Break-glass safeguards

  Designated admins keep local-password access even when SSO is enforced tenant-wide. The system refuses to leave you with zero break-glass accounts. Operator recovery for the worst-case.

• Complete audit trail

  Every login, every SCIM mutation, every configuration change, every certificate rotation — recorded with correlation IDs, exportable on demand for SOC 2 reviews.

• SOC 2 Type II scoped

  Identity-relevant events land in the audit log within 5 seconds. Every assertion, every provisioning call, every configuration change.

• GDPR-compatible

  Identity linkage participates in Article 17 erasure and Article 20 export via the same registry that every other module uses.

• Auditor-ready in one week

  Give an external auditor read access to the audit log and they can reconstruct any user's complete identity history — assertions, role transitions, and all.

• Search SkillMind

  Settings · IdentitySingle sign-on

  Enforce SSOAll non-break-glass users sign in through your IdP.

  Strict modeReject unfederated sessions on emergency console URLs.

  Ok

  OktaConnected · 2 minutes ago

  Active

• Search SkillMind

  Single sign-on · SAML wizardConfigure SAML

  ✓Provider

  2Metadata

  3Mapping

  4Verify

  Identity provider metadata URL

  https://idp.example.com/sso/saml/metadataFetch

  Metadata parsed

  Issuerhttps://idp.example.comCert SHA-2563a:8f:2c:1d:…Expires2028-04-18

• Search SkillMind

  Identity · ProvisioningSCIM tokens

  New token

  Token displayed onceCopy the secret now — we store only the SHA-256 hash and cannot reveal it again.

  scim_pat_3a8f2c1d••••••••Copy

  Production · Oktaread:users write:users

  12 days agoRotate

  Staging · Entraread:users write:groups

  32 days agoRotate

  Pilot tenantread:users

  4 months agoRotate

• Search SkillMind

  Identity · AuditRecent identity events

  Last 7 daysAuthenticationProvisioningConfiguration

  2026-04-30 14:22a.khoury@meridian.coauth.login.sso.success

  2026-04-30 14:18system · scimscim.user.created

  2026-04-30 13:54system · scimscim.group.updated

  2026-04-30 12:41unknownauth.login.sso.failed

  2026-04-30 11:32d.park@skillmind.cosso.config.changed

• Okta setup guide→
• Microsoft Entra ID setup guide→
• Google Workspace setup guide→
• Auth0 setup guide→

Ready to ship enterprise-ready SSO to your team?

Talk to our team about a pilot. We stand up a sandbox tenant pointed at your IdP within one business day.