## Why It Matters Enterprise teams need two things for access compliance: employees sign in with your identity provider (no separate Kit passwords), and access is granted and revoked automatically as people join and leave. Kit supports both — **SAML single sign-on** for login and **Google Workspace directory sync** for automatic provisioning and deprovisioning. Both are configured under **Settings → Integrations**, and both require an administrator to set up. > [!NOTE] > SSO and directory sync are independent. You can enable SSO on its own, directory sync on its own, or both together. ## Part 1: SAML Single Sign-On SAML SSO lets your team sign in through your identity provider (Google Workspace, Okta, Microsoft Entra, OneLogin, and others). Kit is the **service provider (SP)**; your identity provider is the **IdP**. ### Step 1 — Give your IdP Kit's service provider details In your IdP's SAML app configuration, use these values from the Kit **SSO** settings page: | Field in your IdP | Value from Kit | |---|---| | ACS URL / Reply URL / Single sign-on URL | `https://app.startupkit.app/users/auth/saml/callback` | | SP Entity ID / Audience URI | `https://app.startupkit.app/users/auth/saml/metadata` | | Name ID format | Email address | The exact values for your account are shown on the SSO settings page, and a downloadable SP **metadata URL** is provided if your IdP prefers to import metadata. ### Step 2 — Verify your email domain Kit only accepts SSO logins whose email domain you've **verified** for your account (for example `acme.com`). This is what stops another organization's identity provider from signing users into your workspace. Verify your domain under **Settings → Custom Domains / Account** before enabling SSO. ### Step 3 — Paste your IdP details into Kit Back on the Kit SSO settings page, enter: - **IdP Entity ID** — the Issuer / Entity ID from your IdP's SAML app - **IdP SSO URL** — the sign-in URL your IdP exposes - **IdP signing certificate** — the X.509 certificate (PEM) your IdP signs assertions with You can also paste your IdP's **metadata XML** and Kit will fill these in for you. ### Step 4 — Enable SSO Click **Enable SSO**. Your team can now sign in through your identity provider. Both IdP-initiated sign-in (launching Kit from your IdP dashboard) and standard sign-in are supported. > [!IMPORTANT] > When a new person signs in via SSO for the first time, Kit creates their account automatically, as long as their email domain is verified for your workspace. If a user with that email already exists, Kit links the SSO identity to that existing account. ## Part 2: Google Workspace Directory Provisioning Directory sync keeps your Kit members in lockstep with your Google Workspace directory. Because Google does not push changes to apps, Kit **pulls** from the Google Admin SDK on a schedule — Google is always the source of truth. ### Step 1 — Authorize Kit's service account (domain-wide delegation) A Google Workspace **super admin** must authorize Kit's service account to read your directory: 1. Open the Google Admin console → **Security → Access and data control → API controls → Domain-wide delegation**. 2. Click **Add new** and enter Kit's service account **Client ID** (shown on the Kit directory settings page). 3. Add these **read-only** OAuth scopes, comma-separated: - `https://www.googleapis.com/auth/admin.directory.user.readonly` - `https://www.googleapis.com/auth/admin.directory.group.readonly` - `https://www.googleapis.com/auth/admin.directory.group.member.readonly` 4. Authorize. Propagation can take a few minutes. > [!CAUTION] > Kit requests **read-only** scopes only — it can never modify your Google directory. It reads your users and groups to mirror them into Kit. ### Step 2 — Configure the connection in Kit On the Kit directory settings page, enter: - **Primary domain** — your Workspace domain (for example `acme.com`) - **Delegated admin email** — a Workspace admin Kit impersonates read-only to list the directory - **Admin group emails** (optional) — members of these Google groups are provisioned as Kit account admins - **Google customer ID** — leave as `my_customer` unless you manage multiple Google organizations ### Step 3 — Test the connection Click **Test connection**. Kit runs a read-only probe and reports success, or tells you exactly what's missing: | Result | What it means | |---|---| | Active | Domain-wide delegation and scopes are configured correctly. | | Service account not authorized for domain-wide delegation | The Client ID hasn't been added in the Admin console (Step 1). | | Missing required directory scopes | The Client ID is authorized but the read-only scopes weren't granted. | ## How Provisioning & Deprovisioning Work Once the connection is **Active**, Kit reconciles your team automatically. | Behavior | Detail | |---|---| | Sync cadence | Roughly every hour. Use **Sync now** on the directory page to run it immediately. | | Source of truth | Google Workspace. Kit mirrors it — it never writes back. | | New directory user | A Kit account is created and the person becomes a member of your workspace. | | Removed / suspended user | Their Kit membership is removed, and their API tokens and connected app sessions are revoked. | | Group → role mapping | Members of your configured admin groups become Kit admins. | | Seat billing | A provisioned member **consumes a seat** by default (toggle this per connection). With auto-seat off, new directory users are not auto-added. | ### What Kit will never touch - **The account owner** is never removed by directory sync, even if they're absent from the directory. - **Manually invited members** are never removed or reclassified — directory sync only manages the members it provisioned. > [!TIP] > To offboard someone, remove or suspend them in Google Workspace. At the next sync (or when you click **Sync now**), Kit removes their access and revokes their tokens automatically. ## Quick Checklist - [ ] Verify your email domain for the account - [ ] Configure your IdP with Kit's ACS URL and SP Entity ID - [ ] Paste your IdP Entity ID, SSO URL, and signing certificate into Kit - [ ] Enable SSO and test a sign-in - [ ] Super admin authorizes Kit's service account Client ID for domain-wide delegation with the three read-only scopes - [ ] Enter the primary domain, delegated admin email, and any admin groups - [ ] Run **Test connection** until it reports Active - [ ] Confirm your seat policy (auto-consume on or off)