SSO & Directory Provisioning
Set up SAML single sign-on and automatic user provisioning/deprovisioning from Google Workspace so your team's access stays in lockstep with your directory.
Why It Matters
Enterprise teams need two things for access compliance: employees sign in with your identity provider (no separate Kit passwords), and access is granted and revoked automatically as people join and leave. Kit supports both — SAML single sign-on for login and Google Workspace directory sync for automatic provisioning and deprovisioning.
Both are configured under Settings → Integrations, and both require an administrator to set up.
Note
SSO and directory sync are independent. You can enable SSO on its own, directory sync on its own, or both together.
Part 1: SAML Single Sign-On
SAML SSO lets your team sign in through your identity provider (Google Workspace, Okta, Microsoft Entra, OneLogin, and others). Kit is the service provider (SP); your identity provider is the IdP.
Step 1 — Give your IdP Kit’s service provider details
In your IdP’s SAML app configuration, use these values from the Kit SSO settings page:
| Field in your IdP | Value from Kit |
|---|---|
| ACS URL / Reply URL / Single sign-on URL | https://app.startupkit.app/users/auth/saml/callback |
| SP Entity ID / Audience URI | https://app.startupkit.app/users/auth/saml/metadata |
| Name ID format | Email address |
The exact values for your account are shown on the SSO settings page, and a downloadable SP metadata URL is provided if your IdP prefers to import metadata.
Step 2 — Verify your email domain
Kit only accepts SSO logins whose email domain you’ve verified for your account (for example acme.com). This is what stops another organization’s identity provider from signing users into your workspace. Verify your domain under Settings → Custom Domains / Account before enabling SSO.
Step 3 — Paste your IdP details into Kit
Back on the Kit SSO settings page, enter:
- IdP Entity ID — the Issuer / Entity ID from your IdP’s SAML app
- IdP SSO URL — the sign-in URL your IdP exposes
- IdP signing certificate — the X.509 certificate (PEM) your IdP signs assertions with
You can also paste your IdP’s metadata XML and Kit will fill these in for you.
Step 4 — Enable SSO
Click Enable SSO. Your team can now sign in through your identity provider. Both IdP-initiated sign-in (launching Kit from your IdP dashboard) and standard sign-in are supported.
Important
When a new person signs in via SSO for the first time, Kit creates their account automatically, as long as their email domain is verified for your workspace. If a user with that email already exists, Kit links the SSO identity to that existing account.
Part 2: Google Workspace Directory Provisioning
Directory sync keeps your Kit members in lockstep with your Google Workspace directory. Because Google does not push changes to apps, Kit pulls from the Google Admin SDK on a schedule — Google is always the source of truth.
Step 1 — Authorize Kit’s service account (domain-wide delegation)
A Google Workspace super admin must authorize Kit’s service account to read your directory:
- Open the Google Admin console → Security → Access and data control → API controls → Domain-wide delegation.
- Click Add new and enter Kit’s service account Client ID (shown on the Kit directory settings page).
- Add these read-only OAuth scopes, comma-separated:
https://www.googleapis.com/auth/admin.directory.user.readonlyhttps://www.googleapis.com/auth/admin.directory.group.readonlyhttps://www.googleapis.com/auth/admin.directory.group.member.readonly
- Authorize. Propagation can take a few minutes.
Danger
Kit requests read-only scopes only — it can never modify your Google directory. It reads your users and groups to mirror them into Kit.
Step 2 — Configure the connection in Kit
On the Kit directory settings page, enter:
-
Primary domain — your Workspace domain (for example
acme.com) - Delegated admin email — a Workspace admin Kit impersonates read-only to list the directory
- Admin group emails (optional) — members of these Google groups are provisioned as Kit account admins
-
Google customer ID — leave as
my_customerunless you manage multiple Google organizations
Step 3 — Test the connection
Click Test connection. Kit runs a read-only probe and reports success, or tells you exactly what’s missing:
| Result | What it means |
|---|---|
| Active | Domain-wide delegation and scopes are configured correctly. |
| Service account not authorized for domain-wide delegation | The Client ID hasn’t been added in the Admin console (Step 1). |
| Missing required directory scopes | The Client ID is authorized but the read-only scopes weren’t granted. |
How Provisioning & Deprovisioning Work
Once the connection is Active, Kit reconciles your team automatically.
| Behavior | Detail |
|---|---|
| Sync cadence | Roughly every hour. Use Sync now on the directory page to run it immediately. |
| Source of truth | Google Workspace. Kit mirrors it — it never writes back. |
| New directory user | A Kit account is created and the person becomes a member of your workspace. |
| Removed / suspended user | Their Kit membership is removed, and their API tokens and connected app sessions are revoked. |
| Group → role mapping | Members of your configured admin groups become Kit admins. |
| Seat billing | A provisioned member consumes a seat by default (toggle this per connection). With auto-seat off, new directory users are not auto-added. |
What Kit will never touch
- The account owner is never removed by directory sync, even if they’re absent from the directory.
- Manually invited members are never removed or reclassified — directory sync only manages the members it provisioned.
Tip
To offboard someone, remove or suspend them in Google Workspace. At the next sync (or when you click Sync now), Kit removes their access and revokes their tokens automatically.
Quick Checklist
- Verify your email domain for the account
- Configure your IdP with Kit’s ACS URL and SP Entity ID
- Paste your IdP Entity ID, SSO URL, and signing certificate into Kit
- Enable SSO and test a sign-in
- Super admin authorizes Kit’s service account Client ID for domain-wide delegation with the three read-only scopes
- Enter the primary domain, delegated admin email, and any admin groups
- Run Test connection until it reports Active
- Confirm your seat policy (auto-consume on or off)