Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.summand.com/llms.txt

Use this file to discover all available pages before exploring further.

Summand supports any IdP supported by WorkOS. The WorkOS Admin Portal is the configuration surface; Summand opens it for you from organization settings.

IdPs with first-class WorkOS support

Beyond Okta, Entra, and Google Workspace (which have their own pages), WorkOS ships preset wizards for:
  • OneLogin (SAML, OIDC, SCIM)
  • JumpCloud (SAML, SCIM)
  • Auth0 (OIDC)
  • Ping Identity (SAML)
  • Duo SSO (SAML)
  • Salesforce (SAML)
  • VMware Workspace ONE (SAML)
  • CyberArk Identity (SAML)
  • Rippling (SAML, SCIM)
  • BambooHR (SCIM directory only)
Plus generic SAML 2.0 and OIDC options for anything not in the list — including custom in-house IdPs. The full, current list lives in WorkOS’s Identity Provider Handbook.

Setup

The flow is identical for every IdP:
1

Verify your domain

Settings → Organization → Domain Verification → Configure.
2

Open the SSO Admin Portal

Settings → Organization → Single Sign-On → Configure. Pick your IdP from the list.
3

Configure the IdP side

The portal provides the ACS URL / redirect URI / Entity ID, and tells you which attributes to send. Configure the IdP using its own admin UI.
4

Return metadata to the portal

Most IdPs provide a metadata URL or XML download. Paste it; WorkOS validates the certificate and pre-fills.
5

Test

Click Test connection in the portal.
6

(Optional) Directory Sync

If your IdP supports SCIM and you want auto-deprovisioning, Settings → Organization → Directory Sync → Configure and walk through the SCIM setup.

Required attributes

Whatever IdP you use, the SAML response (or OIDC ID token) must include:
AttributeRequiredPurpose
emailPrimary identifier
name, or given_name + family_nameDisplay name
groupsoptionalFor group-based role mapping
Summand-side mapping happens inside the WorkOS portal — you can rename source attributes and bind groups to roles without touching the IdP again.

Custom in-house IdPs

If you run your own SAML or OIDC provider:
  • For SAML, use the Generic SAML option in the WorkOS portal. Provide your IdP’s metadata URL or paste the SSO URL, Entity ID, and X.509 certificate manually.
  • For OIDC, use the Generic OIDC option. Provide the issuer URL, client ID, and client secret. Required scopes: openid, email, profile.
WorkOS handles RelayState, encrypted assertions, and standard SAML signing patterns. For unusual setups (e.g. signed authn requests with a custom signing key), contact support@summand.com — Enterprise customers can request a guided integration session.

What if my IdP isn’t supported?

If WorkOS doesn’t support your IdP and the generic SAML / OIDC paths don’t work:
  • Most IdPs are reachable through OneLogin or Auth0 as a layer.
  • For brand-new IdPs gaining traction, WorkOS regularly ships new connectors — file a request via Summand support and we’ll forward it.
  • For air-gapped enterprise deployments, contact sales — we can discuss a private deployment.