Self-serve SSO and SCIM for enterprise workspaces

Enterprise admins can now set up single sign-on and directory sync themselves, directly inside Exec. A new Security settings page walks you through the whole process with a step-by-step wizard, so you no longer need to go back and forth with us to get SSO turned on.

The wizard covers domain verification first. You prove you own the domains your users will sign in from. Then you connect your identity provider. Exec supports SAML 2.0 and OIDC, so if your team runs on Okta, Entra ID, Google Workspace, OneLogin, Ping, JumpCloud, or another provider that speaks either protocol, you can wire it up yourself. The wizard gives you the endpoints and field mappings you need, and you verify the connection with a test sign-in before it goes live.

Once SSO is on, you can optionally enable SCIM 2.0 directory sync. That means your identity provider provisions users into Exec automatically, and deactivates them when they leave or lose access in your directory. You set a default seat tier, Basic or Full, for everyone SCIM brings in, so new users land with the right permissions without anyone touching them by hand. If your seat mix is more nuanced than a single default, admins can adjust individuals after provisioning.

You also stay in control after setup. SSO and SCIM can be toggled on or off independently, so you aren't locked into an all-or-nothing configuration. You can add or remove domains as your organization changes. And if you ever need to turn SSO off temporarily, you can do that without disabling SCIM, or vice versa.

One thing worth knowing: once SSO is enabled, it becomes mandatory for your workspace. There's no just-in-time provisioning, so users still need to be invited before they can sign in through your identity provider. SCIM handles that invitation flow automatically when it's on. If SCIM is off, admins invite users manually, same as before.

We built this because every enterprise security setup followed the same pattern. An admin would email us. We would exchange metadata, verify domains together, trade configuration details across a few calls, and eventually flip the switch. It worked, but it turned a simple admin task into a multi-day coordination exercise. The people responsible for security configuration at these companies know exactly what they're doing.