Basic Memory
Partners

Customer SSO

Connect each customer's identity provider through WorkOS, with JIT provisioning on first sign-in.

Customers sign in with their own identity provider — for example Microsoft Entra ID via SAML — brokered through WorkOS. You configure it per customer from the SSO panel on the customer's detail page.


Set up SSO

Verify the customer's email domain

Domain verification is the entry point — enter the customer's domain (e.g. acme.com) and verify it. The SSO setup controls appear once a domain is verified.

Open the setup portal

Click Start SSO setup (or Reconfigure SSO). This opens the WorkOS Admin Portal directly in a new tab — portal links expire about 5 minutes after generation, so there's nothing to copy or email. Complete the identity-provider connection there yourself, or on a screen-share with the customer's IT admin.

Optionally require SSO

Turn on the require-SSO policy to make the customer's identity provider the only sign-in path for their users.


JIT provisioning

With SSO active and JIT (just-in-time) provisioning enabled, a user from the customer's verified domain is provisioned into the customer's workspace automatically on first sign-in — and starts consuming a seat.

JIT is on by default for new customers. As soon as SSO is active, users from the verified domain will auto-provision and consume seats on first sign-in. If you want to control membership manually, turn JIT off on the customer's detail page before completing SSO setup.

Next Steps

Customer Provisioning

Seat caps and the customer lifecycle.

Billing

JIT-provisioned users consume seats — here's how they're metered.