SSO is available on Team and Enterprise plans. We support SAML 2.0 and OIDC, which covers Okta, Entra ID, Google Workspace, and anything else standards-compliant. Setup takes about fifteen minutes if you have admin access on both sides.
Configuration
- Go to Settings → Authentication → Configure SSO and copy the ACS URL and entity ID.
- Create the app in your identity provider and paste both values in.
- Upload your IdP metadata XML (or paste the OIDC discovery URL).
- Map at minimum: email, name. Optional: groups, for role mapping.
- Test with one account before enforcing — there is a 'test login' button for exactly this.
Enforcement
Once verified, you can require SSO for all members. Existing password sessions are invalidated within an hour. Workspace owners keep one break-glass password login in case your IdP goes down — we have seen that outage too many times to remove it.
# verify your configuration from the CLI
y0 auth sso verify --domain yourcompany.comGroup-to-role mapping (IdP groups → mynd roles) is Enterprise-only. If you need SCIM provisioning, contact us — it is in beta and we are onboarding teams manually.