In order for a user to access a ChatGPT Enterprise workspace, two things need to happen:
The user needs to be provisioned in the workspace
The user needs to authenticate their identity with OpenAI
Domain verification
Prior to setting up additional provisioning and authentication options, you must verify ownership of one or more email domains on the Identity & Provisioning page. This associates the email domain with your ChatGPT Enterprise workspace. Learn more about domain verification for ChatGPT Enterprise.
Provisioning
By default, workspace owners and admins provision users by inviting them through the ChatGPT Enterprise Members page.
To automate the provisioning process, workspace owners can configure the following options on the Identity & Provisioning page:
Automatic Account Creation - grants users access to a workspace automatically based on their email domain when they attempt to log in. Learn more about Automatic Account Creation.
Directory Sync via SCIM - automatically invites users into the workspace based on their membership in specified Identity Provider groups. Learn more about SCIM provisioning.
Workspace owners can optionally disable external domain invites to block invitations to users with an email address which is not associated with a verified domain.
Email invitations and account migrations
When a user is invited into your ChatGPT Workspace, either manually or via SCIM provisioning, OpenAI will send them an invitation email by default (see this article for cases when an email will not be sent). If the user has an email address matching a verified domain, the user will automatically be added to the workspace whether they accept the invite link in their email or log in through chatgpt.com
If an invited user with an email address matching a verified domain has an existing Free or Plus ChatGPT account, they will be prompted to migrate their account to the Enterprise workspace upon accepting the invitation. Users can choose to transfer their existing data to the Enterprise workspace, or to export and delete their data. ChatGPT Plus subscriptions are automatically canceled as part of the migration process.
If an invited user has an existing Free or Plus ChatGPT account associated with an email address which does not match a verified domain, they will not be prompted to migrate their account and can keep both their personal account and their access to the Enterprise workspace.
Account migration workflow displayed to users in the ChatGPT Enterprise UI.
Authentication
By default, users authenticate with OpenAI using an email address and password, or by using Social login (Google, Microsoft, or Apple).
To further secure the authentication process, workspace owners can configure the following Single Sign-On (SSO) on the Identity & Provisioning page:
Enable SSO - Users who have been provisioned in the workspace and who have an email address associated with a verified domain are able to authenticate via the integrated Identity Provider (IdP). Enabling SSO has the effect of disabling password-based authentication for these users. Social login via Google, Microsoft, and Apple is still supported.
Enforce SSO - Has the additional effect of disabling Social login for users who have been provisioned in the workspace and who have an email address associated with a verified domain.
Enabling or enforcing SSO by itself does not impact the experience of the following types of users:
ChatGPT Free & Plus users with an email matching a verified domain who are not provisioned in the workspace. These users can continue to access their personal ChatGPT accounts after SSO is configured.
ChatGPT users with an email domain which does not match a verified email domain but who are provisioned in the workspace. These users can continue to access the ChatGPT Enterprise workspace via password-based or Social login methods.
Configuring SSO across OpenAI products
Your ChatGPT Enterprise workspace and OpenAI API Platform organizations share a single SSO connection with your IdP. As a result, domain verifications and SAML SSO settings are shared between products. If you have already configured SSO in your API Platform organization, verified domains and SAML SSO settings will be pre-populated in ChatGPT. The reverse is also true.
Any changes you make to these settings in one product will be reflected in the other product.
Only certain SSO configurations across products are supported:
| API Platform SSO enabled | API Platform SSO disabled |
ChatGPT SSO enabled | ✅ | ❌ Newly-provisioned users are unable to log in to the ChatGPT Enterprise workspace |
ChatGPT SSO disabled | ✅ | ✅ |
Note: Enabling SSO in your ChatGPT workspace will also enable SSO for associated OpenAI API Platform organizations.
Recommended identity and provisioning patterns
ChatGPT Enterprise gives you the flexibility to mix and match identity and provisioning options. The most common patterns are provided for reference.
| Provisioning | Authentication | User experience |
Opt-in access
Any user who authenticates with an email address associated with a verified domain will be automatically provisioned in your workspace. | Automatic Account Creation | Password or Social | Upon signing up for or logging into a Free or Plus account, users will be prompted to migrate to the Enterprise workspace. |
SSO with manual invites
Users who are manually invited to the workspace can authenticate with SSO. | Manual | SSO Enabled or Enforced | Users can continue to sign up for or log into Free and Plus accounts.
After being invited into the Enterprise workspace, users will be prompted to migrate their existing Free or Plus account. |
SSO with Automated Account Creation
Any user who authenticates with an email address associated with a verified domain will be automatically provisioned in your workspace and can subsequently authenticate with SSO. | Automatic Account Creation | SSO Enabled or Enforced | Upon signing up for or logging into a Free or Plus account, users will be prompted to migrate to the Enterprise workspace.
Note: users without the ability to authenticate via the IdP will be unable to log into ChatGPT after migrating to the Enterprise workspace. |
SSO with SCIM
Users who are a member of a specified IdP group are automatically invited to workspace and can subsequently authenticate with SSO. | SCIM | SSO Enabled or Enforced | Users can continue to sign up for or log into Free and Plus accounts.
Upon being added to the specified IdP groups, users receive an invitation email and are prompted to migrate their existing Free or Plus account. |