User Management
The Administration console allows you to manage users within your Airia application under settings to Add, Edit, or Delete the users created in the platform or by integrating with your identity provider for SSO and user & group provisioning.
Airia supports setting up SSO for your organization using OpenID Connect (OIDC) and provisioning users & groups using SCIM 2.0.
Users
Roles and Permissions
The following table describes the roles and their default permissions
| Role | Permissions |
|---|---|
| Platform Admin | Super admin with full access to the platform. |
| Admin | Admin with a subset of permissions limited from viewing Guardrails, viewing violation feeds, user prompt and agent response details, account settings, SSO settings, and SIEM settings. |
| User | User with permissions to leverage the Airia chat client to interact with Agents. |
Configure SSO:
Navigate to SSO Settings
- Scroll down the left-side navigation bar
- Select Settings > SSO
Enter Your Identity Provider (IDP) Details
- Provide a friendly display name for your identity provider
- Create an OIDC app registration in your IDP (e.g., EntraID, Okta, Ping)
- Copy the redirect URI generated into your identity provider settings
- Enter the OIDC discovery endpoint in Airia to populate the URI
- Input your Client ID and Client Secret
- Specify the domains that should redirect to your IDP for authentication
Manage Access
- Set the default role appropriately to ensure Just-In-Time (JIT) created users have the appropriate permissions
- Control user access to the Airia platform via your OIDC application settings in your identity provider to ensure that only approved users or groups can authenticate
Enabling SSO, configures the Airia platform for JIT user provision. Ensure the OIDC app in the IDP has the appropriate users and groups.
For Microsoft Entra integration, only OIDC v2 is supported.
To provision users and groups from an identity provider:
Configure SSO Settings
Configure and test your SSO Settings as a prerequisite to SCIM 2.0 based provisioning.
Enable Provisioning
Enable user and group provisioning in your enterprise application in your IDP.
Configure SCIM Connection
Copy the SCIM API endpoint and the secret token from your Airia tenant to the enterprise application in your IDP.
Add Required User Attributes
- Navigate to the User attribute mapping
- Add a custom attribute “Enterprise” of type string mapped to a static value for your enterprise name
- The enterprise name associated with your Airia tenant can be found by navigating to your profile in the top right. This name corresponds to the value in the Workspace field above the logout button.
Configure Group Attributes
- Navigate to Group attribute mappings and edit the group’s display name and change it to expression appending the domain name
- Add a custom attribute for ‘IdentityGroupName’ and map it to the group’s displayName appended with the domain
Configure Provisioning Scope
Navigate back to the enterprise application’s provisioning settings and configure whether you want to push all users and groups or specific users and groups on demand.
IDP provisioned Users and groups are managed in your IDP. The users and groups list view will reflect the source of the users and groups as ‘IDP’ to indicate they are not locally created in the Airia platform
Group provisioning via SCIM with Okta is not currently supported.