In order to set up SSO, you must:

Before proceeding, please review our SSO Overview and User Management documentation pages to ensure you are familiar with our SSO architecture.

If you recently purchased an Enterprise ChatGPT license and are looking to configure SSO on the ChatGPT workspace, please follow the instructions here.

If you previously configured SSO on your Enterprise ChatGPT workspace, your SSO settings should already be ported over and are likely active. In this scenario, you would see the fields pre-populated on your API Platform Identity page, and you just need to ensure the "Single Sign On" button is toggled on for the organization.

If you would like to test the setup process without risking an impact on your Enterprise organization, you can do so via the application here.

Completing a successful connection on this test application will not tie back to your production org, nor will it save the connection (so you can reuse the same parameters in your Enterprise org once you're ready). This means that it is safe to use as a sandbox or playground while you familiarize yourself with the requirements and work out any missing prerequisites.

To get started, navigate to the "Identity" page underneath your Organization settings.

If this link does not resolve for you, it likely means that your Organization has not been properly configured or that you do not have the correct permissions associated with your user account. Please reach out to the Support team for assistance if you believe this should not be the case.

In order to enable SSO, we require that you first verify at least one domain.

Click the "+ Add Domain" button and enter your DNS to get started:

Once submitted, we provide a key for you to verify ownership of your domain. Navigate to your DNS provider, and add a TXT record with the provided value:

Your TXT record must be reachable via a DNS lookup in order for the verification check to succeed.

After completing this in your DNS provider, return to the setup page and click the "Check" button. If your domain ownership was validated successfully, you will see the status updated to "Verified."

You can add up to 99 verified domains per organization-id, and we provide a 7-day period for you to complete the verification check before marking a domain as expired.

Currently, domains can only be verified on a single organization. If you need to verify the same domain across multiple organizations, please contact Support.

After successfully verifying your domain, you can proceed with the SSO setup by configuring your IdP application.

To get started, click the "Manage Single Sign On" button:

You have the option to select from a list of the most popular IdP's that natively support SAML integrations. If you do not see your IdP in the list, or if you would like to use an OIDC connection, you can choose the appropriate Custom connection button shown at the bottom:

You can now follow the step-by-step configuration wizard to help create and connect your IdP application with us. Depending upon the IdP you are using, your instructions may vary slightly, but the general setup remains the same:

Note that the URL's provided in the creation step will be unique to your organization:

Once you've completed the URL setup, you can proceed to defining the attribute mapping for users authenticated through your application.

The attribute mapping you define in your application ultimately determines how your users are created/how they appear in the API Platform. Our current user model supports three properties:

Depending on your IdP, the exact attribute mapping will vary. We recommend adhering to the exact mapping depicted for your IdP in the setup wizard, e.g. Okta would be:

If you are seeing new users come through with their email addresses set to their display name, please review your attribute mapping and confirm that you are not encrypting your responses.

Alternatively, if new users are being asked to enter their name and birthday, this likely indicates we're not identifying a proper name value from your attribute response.

Occasionally, a user's email address may get updated in your IdP, e.g.

This will ultimately result in a new OpenAI user tied to the new email address. In order for the new user to login successfully, you will need to ensure they have been provisioned an invitation to the Platform org.

In some cases, you may have users with multiple different email addresses. This is a common scenario in larger companies that have distributed mailing systems or for Edu customers with different schools, e.g.

In this situation, we recommend ensuring that your SAML response only includes a single email address in its attributes, as including multiple emails can cause confusion when we attempt to tie it to a new or existing user.

Additionally, if the users have a static email address (e.g. a UPN), we recommend utilizing this in your attribute mapping to ensure they will have a stable OpenAI user account that will not be impacted when their other email addresses may be changed.

Once you have successfully created your attribute mapping, the wizard will walk you through the steps to provision access to the appropriate users via the desired groups.

Please review our recommendations on User Management for best practices.

At this point in the setup, you have two separate options for defining your IdP's metadata: Dynamic Configuration and Manual Configuration.

This is the recommended and most straightforward option. With Dynamic Configuration, you simply need to provide the Metadata URL (now populated by the SSO URL and Entity ID you configured earlier) associated with your application. The setup wizard will show you where you can find this in your IdP:

As the name implies, Manual Configuration requires a bit more work. Depending upon your IdP, you will need to enter the corresponding SSO URL and IdP issuer, along with an x.509 certificate:

If you would like for your users to be able to click a tile on their dashboard and be automatically authenticated, you can configure IdP-initiated auth to your application as part of the setup process. While the exact process will vary depending upon your IdP, the general process will utilize a provided URL in the form of:

https://platform.openai.com/enterprise/conn_01ABC02DEF/login

As an example, Okta will walk you through creating a new Bookmark Application with this URL:

Whereas Entra ID will allow you to enter the provided "Sign on URL" into the appropriate form:

Once you've configured your IdP's metadata, you can click "Continue" to proceed with setting up any optional bookmark apps. The final mandatory configuration step will be on the "Test Single Sign-On" page:

After hitting "Continue to sign-in," the wizard will attempt to test your new connection. If everything is successful, you will have effectively enabled SSO for your API Platform organization. You should now see this reflected on your configuration page:

Users in your IdP group, with corresponding accounts or invitations on the Enterprise workspace, should now be able to login with SSO:

If you find that your users are unable to authenticate successfully, and you run into trouble reverting the changes, please reach out to Support for immediate assistance.

Remember that enabling SSO on the API Platform applies the domain verification across all users with that domain. This means that, even if the users do not belong to your Enterprise organization, they will still be required to be part of your IdP group in order to access their personal organizations.

If after enabling SSO, you're encountering issues logging in, you can review our FAQ and Troubleshooting page for assistance to identify common errors. If you don't find a sufficient answer there, please don't hesitate to reach out to Support.