Workforce identity
Your directory decides who gets in.
Connect SAML single sign-on so people reach the dashboard through your identity provider, and turn on SCIM so accounts and roles provision and deprovision themselves. When someone leaves the directory, their console access leaves with them.
SAML SSO · SCIM provisioning · group-to-role mapping
okta group sec-engineers maps to role: admin member alice@acme.com on removal access revoked
How it flows
From your identity provider to a scoped seat.
A person signs in through your IdP, lands in the dashboard with the role their group maps to, and loses access the moment your directory says so.
What you get
Access that tracks your directory, not a spreadsheet.
SSO gets people in safely. SCIM keeps the member list honest without anyone remembering to clean it up.
SAML single sign-on
People reach the dashboard through your IdP, so your existing MFA and conditional access apply.
Group-to-role mapping
An IdP group becomes a dashboard role, so the right people get the right access automatically.
SCIM provisioning
New hires in the right group get a seat without a manual invite, scoped to their role from day one.
Deprovision on exit
Remove someone from the directory and their console access is revoked, no offboarding ticket required.
Wire it up
Point your IdP at the endpoints.
Configure the SAML connection and the SCIM endpoint in your identity provider, then map groups to roles.
ACS URL https://api.axiorank.com/auth/saml/acs Entity ID https://api.axiorank.com/auth/saml/metadata Attribute groups -> role mapping
Keep exploring
Continue across the control plane.
Let your directory run the door.
Bring people in through SSO, provision them with SCIM, and make leaving the directory the only off switch you need.