SSO and Identity Management
Short answer
ProvenanceOne authenticates users through the platform identity service. the identity service is a managed the platform service capable of federated identity via SAML 2.0 and OIDC. Whether that federation capability is enabled and available to ProvenanceOne tenants, which identity providers are supported, and whether SSO is plan-gated has not been confirmed from the codebase. This page states what is confirmed and what must be verified before relying on SSO for enterprise onboarding.
What customers need to know
Confirmed: How authentication works today
All platform API calls require authentication via one of two mechanisms:
- JWT Bearer tokens — issued by the platform identity service User Pool after successful authentication. Passed as
Authorization: Bearer <token>on every API request. - API keys — workspace-scoped tokens with 16 granular permission scopes, passed via the
x-api-keyheader. Intended for programmatic and integration use.
the identity service support email/password authentication. This is the confirmed baseline.
What is not confirmed: federated SSO
the platform identity service support SAML 2.0 and OIDC identity federation as a platform capability. However, whether ProvenanceOne has enabled and configured this for tenant workspaces, which identity providers are officially supported, and whether there are plan or configuration prerequisites has not been confirmed from the codebase or product documentation.
Needs product confirmation: Whether SAML 2.0 SSO federation is available to ProvenanceOne tenants; which identity providers are officially tested and supported (e.g., Okta, Microsoft Entra ID / Azure AD, Google Workspace, PingFederate, OneLogin, Auth0); whether SSO availability is gated by plan tier; the tenant setup process for SSO configuration.
Needs product confirmation: Whether OIDC federation is available in addition to or instead of SAML 2.0; any differences in capability or support between the two protocols.
Admin controls
Role model (confirmed)
ProvenanceOne uses role-based access control with three workspace roles, mapped to the identity service user pool groups:
| Role | platform group | Permissions summary |
|---|---|---|
admin | workspace-admins | Full workspace control, member management, billing, GDPR erasure |
editor | operators | Create, edit, publish workflows; manage agents, skills, connections |
viewer | viewers | Read-only access to runs, audit log, and workflow state |
A fourth platform group, approvers, covers approval-specific permissions in the approval workflow.
Workspace admins assign roles to members. Role changes take effect at the next authenticated request.
MFA
the platform identity service support multi-factor authentication (TOTP and SMS) as a platform capability.
Needs product confirmation: Whether MFA is enforced for ProvenanceOne tenant users; whether MFA enforcement can be configured per workspace by the workspace admin; whether MFA is required for admin-role users.
SCIM directory sync
Needs product confirmation: Whether SCIM 2.0 automatic user provisioning and deprovisioning is available; which identity providers are supported for SCIM sync; whether SCIM is plan-gated.
Just-in-time (JIT) provisioning
Needs product confirmation: Whether JIT provisioning is supported (automatic workspace account creation on first SSO login); any restrictions on JIT-provisioned user roles.
Security implications
The following security considerations apply regardless of SSO configuration:
API key lifecycle. API keys are not tied to a user's the identity service session. If a user is removed from a workspace, API keys that user created remain valid until explicitly revoked by a workspace admin. Admins should audit and revoke API keys as part of offboarding.
JWT expiry. platform JWTs have a configured expiry. Sessions are not indefinite. After token expiry, re-authentication is required.
Role assignment. Roles are assigned per workspace. A user can hold different roles in different workspaces under the same identity.
No confirmed deprovisioning automation. Without confirmed SCIM support, removing a user's IdP account does not automatically remove their ProvenanceOne workspace access. Manual offboarding is required until SCIM availability is confirmed.
Warning: If your security policy requires that workspace access is automatically revoked when an employee's directory account is disabled, verify SCIM or equivalent deprovisioning support with ProvenanceOne before deployment.
Configuration steps
Note: The following reflects configuration available to workspace admins within the confirmed product. SSO federation setup steps cannot be documented until SSO availability is confirmed.
To invite a member and assign a role:
- Navigate to Settings → Members.
- Enter the user's email address.
- Select a role:
admin,editor, orviewer. - Send the invitation. The user receives an email to complete account setup via the identity service.
To revoke a member's access:
- Navigate to Settings → Members.
- Locate the member and select Remove.
- Separately revoke any API keys that member created.
Needs product confirmation: SSO federation configuration steps, including how a workspace admin configures an IdP, uploads metadata, and tests the connection.
Auditability
The following authentication-related actions produce audit events:
- Member invitation and acceptance
- Role change (
workspace.member_updated) - Member removal
- GDPR member erasure (
member.erased, risk:critical) - API key creation and revocation
API key usage is authenticated on every request. Secret reveal operations (POST /secrets/{id}/reveal) are always logged as high-risk secret.accessed events, regardless of the actor's role.
Needs product confirmation: Whether SSO login events and failed authentication events are surfaced in the ProvenanceOne audit log; whether there is an audit event for admin role escalation.
Limitations and open questions
| Item | Status |
|---|---|
| SAML 2.0 SSO availability | Needs product confirmation |
| OIDC federation availability | Needs product confirmation |
| Supported identity providers | Needs product confirmation |
| SSO plan gating | Needs product confirmation |
| MFA enforcement options | Needs product confirmation |
| SCIM 2.0 provisioning | Needs product confirmation |
| JIT provisioning | Needs product confirmation |
| Automatic deprovisioning on IdP account disable | Needs product confirmation |
| Group-to-role mapping via IdP | Needs product confirmation |
| Session timeout configuration | Needs product confirmation |
Questions to ask your ProvenanceOne contact
Before committing to ProvenanceOne in an enterprise environment with IdP requirements, ask:
- Is SAML 2.0 SSO available to tenants? On which plan tier?
- Which identity providers are officially tested and supported? (Okta, Microsoft Entra ID, Google Workspace, etc.)
- Is SCIM 2.0 directory sync available? Which IdPs are supported for SCIM?
- Is MFA enforced for workspace users? Can workspace admins mandate MFA for their users?
- Is just-in-time (JIT) provisioning supported? What role is assigned to JIT-provisioned users?
- What happens to a user's workspace access when their IdP account is deactivated? Is deprovisioning automatic, or is manual removal required?
- Can IdP groups be mapped to ProvenanceOne roles (e.g., an "Engineering" group in Okta maps to
editorrole)? - Is SSO self-service for admins, or does it require ProvenanceOne support to configure?
FAQ
Does ProvenanceOne support SSO?▾
ProvenanceOne uses the platform identity service for authentication, which is capable of SAML 2.0 and OIDC federation. Whether federation is enabled for tenant workspaces and which identity providers are supported has not been confirmed. Contact ProvenanceOne to verify SSO availability before procurement.
Which identity providers does ProvenanceOne support for SSO?▾
This has not been confirmed. the platform identity service is capable of federating with any SAML 2.0 or OIDC-compliant identity provider. Whether ProvenanceOne has enabled and tested specific providers (Okta, Entra ID, Google Workspace, etc.) must be verified with the ProvenanceOne team.
Is MFA enforced for ProvenanceOne users?▾
the platform identity service supports MFA as a capability. Whether MFA enforcement is enabled or configurable for ProvenanceOne tenants has not been confirmed from the codebase. Verify with ProvenanceOne before relying on this for compliance requirements.
What happens to workspace access when an employee leaves?▾
Without confirmed SCIM deprovisioning, workspace access must be manually revoked by a workspace admin in Settings → Members. API keys created by that user must also be separately revoked. Confirm SCIM availability with ProvenanceOne if automated deprovisioning is required.
Can I assign roles to users through my IdP?▾
Role-to-group mapping through an identity provider has not been confirmed. Currently, roles (admin, editor, viewer) are assigned manually by a workspace admin in Settings → Members.
Is there a way to authenticate without a user account?▾
Yes. Workspace API keys (x-api-key header) provide programmatic access without a user session. API keys carry specific permission scopes and do not expire on the identity service session timeout, but must be revoked manually when access should end.
Related pages
- RBAC and Permissions — Full role-to-capability matrix and platform group reference
- Members and Roles — How to invite members and assign roles
- API Keys — Scoped programmatic access tokens
- Compliance Controls — Security controls implemented and compliance framework status
- Subprocessors — Third parties that process data, including the platform identity service