Extend your identity provider
to your AI agents.
Same joiner–mover–leaver controls. Zero standing agent privileges.
Your IdP already governs every employee. Eniyan extends it to every agent: people and groups sync in over SCIM, operators delegate the entitlements they actually hold, and agents act on 10-minute OAuth tokens that die with the human's access.
How it works
From connected IdP to governed agents in four steps.
Connect your identity provider
Point Eniyan at your IdP over OIDC or SAML 2.0 — a discovery URL and client credentials, or your IdP's SAML metadata. Per-org opt-in; password sign-in keeps working.
SCIM syncs your people and groups
Mint a SCIM token from the dashboard, paste it into your IdP's provisioning settings, and your users and groups flow in — and stay current. Deactivations flow through too.
Operators delegate live entitlements
Each operator sees the IdP groups they currently hold and delegates them to the agents they're accountable for. A delegation lives only as long as the human keeps the group.
Agents mint scoped 10-minute tokens
Agents exchange their signed credential for OAuth 2.0 access tokens scoped to exactly those live entitlements — PKCE issuance, RFC 7662 introspection, nothing standing.
Joiner · Mover · Leaver
Offboard an agent the way you offboard an employee.
Agent access is tied to a live human identity, not a static secret. Deactivate the person in your IdP and their agents lose access automatically — elapsed time, one token lifetime.
Deactivate the human in your IdP
An operator leaves, or loses a role. You deactivate them in your identity provider — the same action you already take today.
SCIM tells Eniyan
SCIM 2.0 deprovisioning flows through in real time. The operator's record suspends, and every agent anchored to them suspends with it.
Delegations lapse instantly
Every entitlement that operator delegated to an agent disappears the moment they lose the underlying IdP group. Lose the group, lose the scope.
Tokens age out in minutes
Agent tokens live 10 minutes and re-check entitlements at every mint. No standing privileges, no orphaned service accounts to hunt down later.
Compatibility
Works with the identity provider you already run.
Federate over standard OIDC, SAML 2.0, and SCIM — no rip-and-replace, no proprietary connectors. If it speaks OIDC or SAML, it works.
| Identity provider | OIDC SSO | SAML 2.0 | SCIM provisioning | Group Push |
|---|---|---|---|---|
| Okta | ||||
| Microsoft Entra ID | ||||
| Auth0 | ||||
| OneLogin | ||||
| Ping Identity | ||||
| JumpCloud | ||||
| Google Workspace | Users only | |||
| Any OIDC / SAML IdP |
Google Workspace supports SSO today; group-based delegation needs an IdP with SCIM group push. Don't see yours? If it speaks OIDC or SAML, it works.
Frequently asked questions
Do we have to replace our identity provider?
We run Okta / Microsoft Entra ID / another IdP — will it work?
What happens when someone leaves the company?
How do agents get access without service accounts or shared secrets?
How long does connecting our IdP take?
Eniyan
Bring your agent workforce
under your IdP — and under control.
See your own identity-provider groups delegated to a live agent, with 10-minute tokens and runtime risk controls — in about 30 minutes.