For identity & security teams

Extend your identity provider
to your AI agents.

Same joiner–mover–leaver controls. Zero standing agent privileges.

Your IdP already governs every employee. Eniyan extends it to every agent: people and groups sync in over SCIM, operators delegate the entitlements they actually hold, and agents act on 10-minute OAuth tokens that die with the human's access.

Book a demo

Pick a time that works for you — we'll walk you through Eniyan for your use case.

See the platform

How it works

From connected IdP to governed agents in four steps.

1

Connect your identity provider

Point Eniyan at your IdP over OIDC or SAML 2.0 — a discovery URL and client credentials, or your IdP's SAML metadata. Per-org opt-in; password sign-in keeps working.

2

SCIM syncs your people and groups

Mint a SCIM token from the dashboard, paste it into your IdP's provisioning settings, and your users and groups flow in — and stay current. Deactivations flow through too.

3

Operators delegate live entitlements

Each operator sees the IdP groups they currently hold and delegates them to the agents they're accountable for. A delegation lives only as long as the human keeps the group.

4

Agents mint scoped 10-minute tokens

Agents exchange their signed credential for OAuth 2.0 access tokens scoped to exactly those live entitlements — PKCE issuance, RFC 7662 introspection, nothing standing.

Joiner · Mover · Leaver

Offboard an agent the way you offboard an employee.

Agent access is tied to a live human identity, not a static secret. Deactivate the person in your IdP and their agents lose access automatically — elapsed time, one token lifetime.

01

Deactivate the human in your IdP

An operator leaves, or loses a role. You deactivate them in your identity provider — the same action you already take today.

02

SCIM tells Eniyan

SCIM 2.0 deprovisioning flows through in real time. The operator's record suspends, and every agent anchored to them suspends with it.

03

Delegations lapse instantly

Every entitlement that operator delegated to an agent disappears the moment they lose the underlying IdP group. Lose the group, lose the scope.

04

Tokens age out in minutes

Agent tokens live 10 minutes and re-check entitlements at every mint. No standing privileges, no orphaned service accounts to hunt down later.

Compatibility

Works with the identity provider you already run.

Federate over standard OIDC, SAML 2.0, and SCIM — no rip-and-replace, no proprietary connectors. If it speaks OIDC or SAML, it works.

Identity providerOIDC SSOSAML 2.0SCIM provisioningGroup Push
Okta
Microsoft Entra ID
Auth0
OneLogin
Ping Identity
JumpCloud
Google WorkspaceUsers only
Any OIDC / SAML IdP

Google Workspace supports SSO today; group-based delegation needs an IdP with SCIM group push. Don't see yours? If it speaks OIDC or SAML, it works.

Frequently asked questions

Do we have to replace our identity provider?
No — Eniyan federates to it. Your IdP stays the system of record for people; Eniyan becomes the identity provider for your agents, kept in sync over OIDC/SAML for sign-in and SCIM 2.0 for provisioning. Everything is additive and per-org opt-in: password sign-in keeps working, and disconnecting the IdP returns you to exactly the setup you have today.
We run Okta / Microsoft Entra ID / another IdP — will it work?
If it speaks OIDC or SAML 2.0, it works — Okta, Microsoft Entra ID, Auth0, OneLogin, Ping Identity, JumpCloud, and any standards-compliant provider. SCIM 2.0 handles user provisioning and group push. Google Workspace is supported for single sign-on; group-based entitlement delegation requires an IdP with SCIM group push.
What happens when someone leaves the company?
The same thing that happens to their laptop login — automatically. Deactivating them in your IdP flows through SCIM: their operator record suspends, every agent anchored to them suspends, and every entitlement they delegated lapses. Because agent tokens live 10 minutes and re-check entitlements at every mint, their agents lose all access within one token lifetime — no service-account audit six months later.
How do agents get access without service accounts or shared secrets?
Through delegation, not credentials-in-a-vault. An operator delegates the IdP groups they currently hold to an agent; the agent then exchanges its signed Eniyan credential for a 10-minute OAuth 2.0 access token scoped to exactly those live entitlements. Your services validate it like any bearer token, or via RFC 7662 introspection. There is no static secret to rotate, and the agent can never out-rank the human behind it.
How long does connecting our IdP take?
It's configuration, not a migration. OIDC needs a discovery URL and client credentials; SAML needs your IdP's metadata; SCIM needs a bearer token minted from the Eniyan dashboard and pasted into your IdP's provisioning settings. There's a built-in connection test, and nothing about your existing IdP applications changes.

Eniyan

Bring your agent workforce
under your IdP — and under control.

See your own identity-provider groups delegated to a live agent, with 10-minute tokens and runtime risk controls — in about 30 minutes.

Book a demo

Pick a time that works for you — we'll walk you through Eniyan for your use case.

Start free