Airia supports setting up SSO for your organization using OpenID Connect (OIDC) and provisioning users & groups using SCIM 2.0.
Users
Roles and Permissions
The following table describes the roles and their default permissions| Role | Permissions |
|---|---|
| Platform Admin | Super admin with full access to the platform. |
| Admin | Admin with a subset of permissions limited from viewing Guardrails, viewing violation feeds, user prompt and agent response details, account settings, SSO settings, and SIEM settings. |
| Read-Only Admin | Admin with read-only permissions across the entire platform. |
| Security Admin | Admin with permissions to manage Security settings and view security-related data. |
| Project Admin | Admin with administrative privileges to just specific projects they have been provided access to. |
| User | User with permissions to leverage the Airia chat client to interact with Agents. |
Project Admin Details
Project Admin is a role that provides administrative privileges scoped to specific assigned projects. When assigning a user as a Project Admin, Platform Admins or Admins must select the specific projects the user will have access to. Permissions and Capabilities:- Agent Development: Can build and deploy agents using components within their assigned projects
- Component Management: Can edit existing components within their projects but cannot create new components (except where noted below)
- Data Sources: Cannot create new data sources, but can add files to existing data sources within their projects
- Memory Objects: Can create and manage Memory objects within their projects
- User Prompts: Can create and manage User Prompts within their projects
- System Prompts: Cannot create or manage System Prompts
- Models: Cannot create or manage Models
- Tools: Cannot create or manage Tools
- Guardrails and Constraints: Can create new guardrails and constraints that are scoped to their assigned projects
- Feeds: Only see filtered activity feeds scoped to their assigned projects
- Platform Settings: No access to platform-wide settings aside from project-scoped API Keys and Credentials
Configure SSO:
1
Navigate to SSO Settings
- Scroll down the left-side navigation bar
- Select Settings > SSO
2
Enter Your Identity Provider (IDP) Details
- Provide a friendly display name for your identity provider
- Create an OIDC app registration in your IDP (e.g., EntraID, Okta, Ping)
- Copy the redirect URI generated into your identity provider settings
- Enter the OIDC discovery endpoint in Airia to populate the URI
- Input your Client ID and Client Secret
- Specify the domains that should redirect to your IDP for authentication
3
Manage Access
- Set the default role appropriately to ensure Just-In-Time (JIT) created users have the appropriate permissions
- Control user access to the Airia platform via your OIDC application settings in your identity provider to ensure that only approved users or groups can authenticate
Enabling SSO, configures the Airia platform for JIT user provision. Ensure the OIDC app in the IDP has the appropriate users and groups.For Microsoft Entra integration, only OIDC v2 is supported.
To provision users and groups from an identity provider:
1
Configure SSO Settings
Configure and test your SSO Settings as a prerequisite to SCIM 2.0 based provisioning.
2
Enable Provisioning
Enable user and group provisioning in your enterprise application in your IDP.
3
Configure SCIM Connection
Copy the SCIM API endpoint and the secret token from your Airia tenant to the enterprise application in your IDP.
4
Add Required User Attributes
- Navigate to the User attribute mapping
- Add a custom attribute “Enterprise” of type string mapped to a static value for your enterprise name
- The enterprise name associated with your Airia tenant can be found by navigating to your profile in the top right. This name corresponds to the value in the Workspace field above the logout button.
5
Configure Group Attributes
- Navigate to Group attribute mappings and edit the group’s display name and change it to expression appending the domain name
- Add a custom attribute for ‘IdentityGroupName’ and map it to the group’s displayName appended with the domain
6
Configure Provisioning Scope
Navigate back to the enterprise application’s provisioning settings and configure whether you want to push all users and groups or specific users and groups on demand.
IDP provisioned Users and groups are managed in your IDP. The users and groups list view will reflect the source of the users and groups as ‘IDP’ to indicate they are not locally created in the Airia platform
For Entra customers, when using the v2 SCIM URL, you will need to remove custom attributes and add the - suffix to displayName attribute.