Skip to main content
All CollectionsChatGPT EnterpriseChatGPT Enterprise SSO
Configuring SSO for ChatGPT Enterprise
Configuring SSO for ChatGPT Enterprise
Updated over a week ago

Only owners of a workspace can set up identity and provisioning for their Enterprise workspace.

If you are enabling SSO for the OpenAI API Platform, please see our resource on API Platform SSO configuration.

What SSO settings are available in my workspace?

You can access these options in the Identity & Provisioning settings of your ChatGPT workspace. Please note that only workspace Owners can make changes to these settings.

What it controls

Considerations

Domain Verification

Domain verification verifies that the domain associated with your email belongs to your organization. Domain verification is required to enable Automatic Account Creation or SSO.

Subdomains and top-level domains are verified separately and explicitly. It is not possible to verify a top level domain and all its subdomains with a single domain verification entry.

For example, if you wish to enable SSO for users with email addresses on both the top-level x.com domain and the y.x.com subdomain, you must complete the domain verification process twice.

Enforce SSO Login

Or

Enable SSO Login

SSO Enabled - users on verified domains are unable to log into the workspace with a password. They can authenticate using SSO or Social

SSO Enforced - users on verified domains are only able to log in with SSO. They are unable to authenticate using passwords or Social

This setting only applies to Enterprise users in your workspace with an email address associated with a verified domain. Users with other ChatGPT plans will not be affected.

Automatic account creation

Determines whether a new user should be added to the Enterprise Workspace automatically when they try to log in

When enabled, users whose email address is associated with a verified domain will be provisioned in the workspace when they sign up for or log into ChatGPT.

Allow external domain invites

Determines whether to allow invites for users whose email address is not associated with a verified domain.

Supports “guest” invitations into the workspace for external users.

How do I access the Identity and Provisioning settings?

To access your Identity & Provisioning settings in your ChatGPT workspace:

  1. Select your profile icon on the top-right corner of the chatgpt.com homepage.

2. Select Manage workspace in the pop-up menu.

3. On the left side of the page, select Identity & Provisioning

How do I set up Domain Verification in my ChatGPT workspace?

Please note that only workspace Owners can make changes to identity and provisioning settings.

Under the Domain management section in the Identity & Provisioning settings, click on Add domain to add and verify each domain you’d like to use with Automatic Account Creation or configure for SSO.

For example, if your company email address is employee@company.abc, please enter "company.abc."

Once submitted, you will be asked to verify ownership of your domain. Navigate to your DNS provider and add a TXT record with the value provided.

If your company has been verified and added successfully, the status will display "Verified."

Subdomains and top-level domains are verified separately and explicitly. It is not possible to verify a top level domain and all its subdomains with a single domain verification entry.

For example, if you wish to enable SSO for users with email addresses on both the top-level x.com domain and the y.x.com subdomain, you must complete the domain verification process twice.

How do I set up SSO in my ChatGPT workspace?

You and all of your users will be locked out if SSO is not set up correctly!

An incorrect setup can result in you and all your users being locked out. We recommend that, as the owner of the workspace, you keep two different logged in windows open (such as being logged in through an incognito window) so you can test the login process and your SSO/Domain Verification setup on one window. If there are issues with the setup (such as the wrong XML file was uploaded and when attempting to test it, you can no longer log in), you can use the second window to disable SSO and attempt configuration again.

Under the Single Sign On section in the Identity & Provisioning settings, click on Add SAML SSO. You will be provided with the ACS URL, Entity ID, and Tile URL. These are standard values required for setting up SSO, which you may input into your Identity Provider (IdP) settings. The exact location to enter these configurations may vary depending on your IdP. These settings may be pre-populated if you have configured SSO for the OpenAI API Platform.

Note that the ACS URL has the organization ID of your organization inside of it as the connection, and it may be provided as a way to log in.

Upon clicking Edit SAML SSO, a modal will appear requesting two essential details: SSO URL and X.509 Certificate. These can be found within your IDP's settings.

After successfully setting up SSO, you have the option to enforce SSO login. Once enforced, users will only be able to login via the SSO flow and will not be able to use social logins. Please test your SSO login to ensure the configurations are correct before enabling this feature.

[OPTIONAL] If you'd like an account to be automatically created for an employee when they try to log in for the first time, you can enable the Automatic Account Creation feature. When this feature is disabled, an employee attempting to log in will be directed to a personal account. However, enabling this feature will auto-provision the employee into your Enterprise workspace.

How do ChatGPT Enterprise and OpenAI API Platform SSO settings interact?

Customers with a Custom or Unlimited billing plan for the OpenAI API Platform can configure SSO to control authentication for platform.openai.com. Check your billing plan within the billing settings of your API account.

If you are eligible to use SSO to control authentication for both your ChatGPT Enterprise workspace and OpenAI API Platform organizations, both products will share a single SSO connection with your IdP. As a result, domain verifications and SAML SSO settings will be shared between products. If you have already configured SSO in your API Platform organization, verified domains and SAML SSO settings will be pre-populated in ChatGPT. The reverse is also true.

Any changes you make to these settings in one product will be reflected in the other product.

Only certain SSO configurations across products are supported:

API Platform SSO enabled

API Platform SSO disabled

ChatGPT SSO enabled

Newly-provisioned users are unable to log in to the ChatGPT Enterprise workspace

ChatGPT SSO disabled

Note: Enabling SSO in your ChatGPT Enterprise workspace will also enable SSO for associated OpenAI API Platform organizations.

I have multiple workspaces - can I use SSO in each of my workspaces? Is it possible to have the same verified domain in multiple workspaces?

You can use SSO in each workspace only if each workspace has a different verified domain. Multiple workspaces cannot share the same verified domain.

We will support multiple workspaces with a shared verified domain at a later date.

Can I verify multiple domains and enable them for SSO in a single workspace?

Yes, as long as all domains are integrated with a single IdP, you can verify multiple domains and integrate them with SSO in a single workspace. You cannot currently configure integrations with multiple IdPs in a single workspace.

Does enforcing SSO mean that anyone invited into my workspace will need to use SSO?

No, enforcing SSO will only apply to users that are part of the ChatGPT workspace and are logging in with an email associated with a verified domain.

Users logging in with a different domain will not use SSO. This behavior enables a workspace to support guest users whose emails are not associated with a verified domain.

My employees is experiencing issues after SSO was enabled - how can I troubleshoot this?

Please consult the following scenarios for troubleshooting steps.

My employees are getting locked out of their personal ChatGPT accounts after enabling SSO

After enabling SSO, if an employee has not been provisioned ChatGPT access within the IdP provider, it means that the IT team will need to provision access for that user. This will ensure that the user will have access to ChatGPT, whether or not they've been invited to a ChatGPT Enterprise.

My employee is seeing a STS.window error/a file download occurs while logging in

If you're encountering this error, it might be because of an incorrect schema mapping during the SSO set-up or that an incorrect SSO URL was entered for the SSO sign-in URL in the configuration. This URL is usually found in the SSO settings of your Identity Provider.

My employee is still unable to log in

Make sure while setting up SSO, you're passing the correct attributes:

  • email: Required

  • given_name: Optional

  • family_name: Optional

Here's the exact schema mapping in JSON:

{
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"given_name": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
}

My employee is seeing an "Oops" error

Please advise them to:

  1. Go to chatgpt.com

  2. Log in to OpenAI using a standard @company.com email account, rather than third-party authentication services like Google, Microsoft, or Apple. This will direct users to their regular SSO log-in flow.

My employee is able to log in successfully, but can't access ChatGPT Enterprise

If you're able to verify that:

  • the employee has a "Request access" screen or is not able to select a workspace from their profile menu

  • and they have received an email from OpenAI inviting them to a workspace

  • and the "Automatic account creation" is turned off

  • and you have verified the domain for your company

  • and you have checked that the email address provisioned in your IDP matches the email address you're inviting to the workspace

Please double check to see if the employee has been provisioned access to ChatGPT Enterprise.

Did this answer your question?