Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.summand.com/llms.txt

Use this file to discover all available pages before exploring further.

Summand’s identity layer is built on WorkOS. When an org admin clicks Configure under any Enterprise feature in Settings → Organization, Summand generates a one-time WorkOS Admin Portal link and redirects you to it. The portal is where every actual configuration step happens — Summand doesn’t reimplement the IdP wizard. This means every IdP and integration WorkOS supports is automatically available to Summand customers, without us shipping a new release.

What’s available in the Admin Portal

The portal exposes one hosted UI per intent. Each intent is a separate “Configure” button in Summand’s organization settings.
IntentWhat it configuresCommon IdP examples
SSOSAML 2.0 or OIDC for sign-inOkta, Azure AD / Entra, Google Workspace, OneLogin, JumpCloud, Auth0, Ping, custom
Directory SyncSCIM provisioning + deprovisioningOkta, Azure AD, OneLogin, JumpCloud, BambooHR, Rippling
Domain VerificationClaim ownership of an email domainDNS TXT record validation
Audit LogsView authentication & security eventsWorkOS-hosted log viewer
Log StreamsForward events to your SIEMDatadog, Splunk, AWS S3, generic webhook
Certificate RenewalRotate SAML signing certificatesPer-IdP rotation flows
See the per-IdP guides for setup details:

Okta

SAML or OIDC, with optional SCIM directory sync.

Azure AD / Entra ID

OIDC or SAML, with Entra-native directory sync.

Google Workspace

Custom SAML, with manual user provisioning.

Other IdPs

OneLogin, JumpCloud, Auth0, Ping, custom — any standards-compliant SAML or OIDC provider.

How sign-in works

User enters email at summand.com


Summand calls /api/auth/sso/check-domain
   │  GET workos.organizations.listOrganizations({ domains: [<domain>] })

Domain matches a WorkOS organization with SSO?

   ├─ Yes → redirect to WorkOS authorization URL
   │     └─ User authenticates at the IdP
   │        └─ WorkOS validates the response
   │           └─ Redirects to /auth/callback with code
   │              └─ Summand exchanges the code for a session
   │                 └─ JIT-provisions the user if first sign-in
   │                    └─ Sets session cookies → user is in

   └─ No → falls back to email + password (or Google / GitHub OAuth)
The user never types a workspace URL. Email-domain lookup handles routing automatically. Summand also exposes direct Continue with Google and Continue with GitHub buttons on the sign-in screen — those go straight to WorkOS’s hosted social providers.

Setting up SSO end-to-end

1

Verify your domain

From Settings → Organization → Domain Verification, click Configure. The Admin Portal asks you to add a TXT record at the apex of your domain. Once DNS propagates and you click Verify, that domain becomes the routing key for SSO sign-ins.Multiple domains are supported — verify each one separately.
2

Configure your IdP

From Settings → Organization → Single Sign-On, click Configure. The Admin Portal opens; pick your IdP (Okta, Azure AD, Google Workspace, etc.) and follow the per-IdP wizard. WorkOS provides ACS URLs, Entity IDs, and metadata download links inline — copy them into your IdP, paste your IdP’s metadata back into the portal, and click Test.The whole step takes 5-10 minutes if you have IdP admin access.
3

(Optional) Set up Directory Sync

Under Directory Sync → Configure, connect a SCIM provider so users are auto-provisioned when added to your IdP and auto-deprovisioned when removed. Without directory sync, users are JIT-created on first sign-in but not removed automatically when they leave.
4

(Optional) Set up audit log streaming

Under Log Streams → Configure, forward auth events to Datadog, Splunk, S3, or any HTTPS webhook. Keep this enabled in production for compliance.
5

Test as a real user

Open summand.com in an incognito window, enter an email at your verified domain, and confirm you’re redirected to your IdP. New users are auto-provisioned via JIT and added to your WorkOS organization.

Authentication options

Summand surfaces three sign-in paths on the login screen:
MethodWhen to use
Email-based SSODefault for SSO-enabled domains. Email entry triggers IdP redirect automatically.
Continue with Google / GitHubDirect social login via WorkOS-hosted OAuth, useful for individual accounts.
Email + passwordFallback for non-SSO domains and individual accounts.
Email + password and social login coexist with SSO. If your org wants password login disabled for SSO-eligible domains, configure that in your WorkOS organization settings via the Admin Portal — it’s enforced at the WorkOS layer, not in Summand code.

Just-in-time (JIT) provisioning

When a new user signs in via SSO for the first time, Summand creates their account automatically using attributes from the IdP. Required attributes:
AttributePurpose
emailPrimary identifier
name (or given_name + family_name)Display name
Group memberships and roles are mapped via Directory Sync if enabled, or manually in Settings → Organization → Members.

What Summand stores vs. what WorkOS stores

DataStored in
User identity, sessions, MFA factorsWorkOS
SSO connection config (cert, ACS URL, attributes)WorkOS
Directory sync stateWorkOS
Audit log events for authWorkOS (forwarded to your SIEM via Log Streams)
Organization membership in SummandSummand DynamoDB
Datasets, connectors, semantic layersSummand AWS
This split is intentional — identity-critical data is held by a SOC 2 Type II identity provider rather than reimplemented inside Summand.

Troubleshooting

For symptom-level debugging — bad metadata, attribute mismatches, certificate issues — see SSO troubleshooting.