Customer SSO
Customers sign in with their own identity provider — for example Microsoft Entra ID via SAML — brokered through WorkOS. You configure it per customer from the SSO panel on the customer's detail page.
Set up SSO
Verify the customer's email domain
Domain verification is the entry point — enter the customer's domain (e.g. acme.com) and verify it. The SSO setup controls appear once a domain is verified.
Open the setup portal
Click Start SSO setup (or Reconfigure SSO). This opens the WorkOS Admin Portal directly in a new tab — portal links expire about 5 minutes after generation, so there's nothing to copy or email. Complete the identity-provider connection there yourself, or on a screen-share with the customer's IT admin.
Optionally require SSO
Turn on the require-SSO policy to make the customer's identity provider the only sign-in path for their users.
JIT provisioning
With SSO active and JIT (just-in-time) provisioning enabled, a user from the customer's verified domain is provisioned into the customer's workspace automatically on first sign-in — and starts consuming a seat.

