In order to set up SSO, you must:

Before proceeding, please review our SSO Overview and User Management documentation pages to ensure you are familiar with our SSO architecture.

For Enterprise and Edu users: If you previously configured SSO on your API Platform organization, and recently purchased an Enterprise ChatGPT license (or decided to enable SSO for your workspace), your SSO settings should already be ported over. In this scenario, your walkthrough via the ChatGPT Identity page will simply be a matter of enabling SSO and confirming you have a tile application ready.

If you would like to test the setup process without risking an impact on your users, you can do so via the application here.

Completing a successful connection on this test application will not tie back to your production org, nor will it save the connection (so you can reuse the same parameters in your production instance once you're ready). This means that it is safe to use as a sandbox or playground while you familiarize yourself with the requirements and work out any missing prerequisites.

To get started, navigate to the "Identity & Provisioning" page underneath your "Manage Workspace" settings.

Some of the examples below will showcase the setup in Okta, but the same logic should be applicable to all SAML IdP's.

In order to enable SSO, we require that you first verify at least one domain.

Click the "+ Add Domain" button and enter your DNS to get started:

Once submitted, we provide a key for you to verify ownership of your domain. Navigate to your DNS provider, and add a TXT record with the provided value:

Your TXT record must be reachable via a DNS lookup in order for the verification check to succeed.

After completing this in your DNS provider, return to the setup page and click the "Check" button. If your domain ownership was validated successfully, you will see the status updated to "Verified."

You can add up to 99 verified domains per organization-id, and we provide a 7-day period for you to complete the verification check before marking a domain as expired.

After successfully verifying your domain, you can proceed with the SSO setup by configuring your IdP application.

To get started, click the "+ Set up SSO" button:

You have the option to select from a list of the most popular IdP's that natively support SAML integrations. If you do not see your IdP in the list, or if you would like to use an OIDC connection, you can choose the appropriate Custom connection button shown at the bottom:

You can now follow the step-by-step configuration wizard to help create and connect your IdP application with us. Depending upon the IdP you are using, your instructions may vary slightly, but the general setup remains the same:

Note that the URL's provided in the creation step will be unique to your organization:

Once you've completed the URL setup, you can proceed to defining the attribute mapping for users authenticated through your application.

The attribute mapping you define in your application ultimately determines how your users are created/how they appear in ChatGPT. Our current user model supports three properties:

Depending on your IdP, the exact attribute mapping will vary. We recommend adhering to the exact mapping depicted for your IdP in the setup wizard, e.g. Okta would be:

If you are seeing new users come through with their email addresses set to their display name, please review your attribute mapping and confirm that you are not encrypting your responses.

Alternatively, if new users are being asked to enter their name and birthday, this likely indicates we're not identifying a proper name value from your attribute response.

Occasionally, a user's email address may get updated in your IdP, e.g.

This will ultimately result in a new OpenAI user tied to the new email address. In order for this new user to login successfully, you must also provision them an invitation your workspace. Once this has been completed, you can remove the original user account.

In some cases, you may have users with multiple different email addresses. This is a common scenario in larger companies that have distributed mailing systems or for Edu customers with different schools, e.g.

In this situation, we recommend ensuring that your SAML response only includes a single email address in its attributes, as including multiple emails can cause confusion when we attempt to tie it to a new or existing user.

Additionally, if the users have a static email address (e.g. a UPN), we recommend utilizing this in your attribute mapping to ensure they will have a stable OpenAI user account that will not be impacted when their other email addresses may be changed.

Once you have successfully created your attribute mapping, the wizard will walk you through the steps to provision access to the appropriate users via the desired groups.

Please review our recommendations on User Management for best practices.

At this point in the setup, you have two separate options for defining your IdP's metadata: Dynamic Configuration and Manual Configuration.

This is the recommended and most straightforward option. With Dynamic Configuration, you simply need to provide the Metadata URL (now populated by the SSO URL and Entity ID you configured earlier) associated with your application. The setup wizard will show you where you can find this in your IdP:

As the name implies, Manual Configuration requires a bit more work. Depending upon your IdP, you will need to enter the corresponding SSO URL and IdP issuer, along with an x.509 certificate:

If you would like for your users to be able to click a tile on their dashboard and be automatically authenticated, you can configure IdP-initiated auth to your application as part of the setup process. While the exact process will vary depending upon your IdP, the general process will utilize a provided URL in the form of:

https://chatgpt.com/auth/login?sso=true&connection=conn_0123abc

As an example, Okta will walk you through creating a new Bookmark Application with this URL:

Whereas Entra ID will allow you to enter the provided "Sign on URL" into the appropriate form:

Once you've configured your IdP's metadata, you can click "Continue" to proceed with setting up any optional bookmark apps. The final mandatory configuration step will be on the "Test Single Sign-On" page:

After hitting "Continue to sign-in," the wizard will attempt to test your new connection. If everything is successful, you will have effectively enabled SSO for your ChatGPT workspace. You should now see this reflected on your configuration page:

Users in your IdP group, with corresponding accounts or invitations on the workspace, should now be able to login with SSO:

If you find that your users are unable to authenticate successfully, and you run into trouble reverting the changes, please reach out to Support for immediate assistance.

If after enabling SSO, you're encountering issues logging in, you can review our FAQ and Troubleshooting page for assistance to identify common errors. If you don't find a sufficient answer there, please don't hesitate to reach out to Support.