Skip to main content
All CollectionsChatGPT EnterpriseChatGPT Enterprise SSO
Getting started with identity and provisioning in ChatGPT Enterprise
Getting started with identity and provisioning in ChatGPT Enterprise
Updated over a week ago

In order for a user to access a ChatGPT Enterprise workspace, two things need to happen:

  • The user needs to be provisioned in the workspace

  • The user needs to authenticate their identity with OpenAI

Domain verification

Prior to setting up additional provisioning and authentication options, you must verify ownership of one or more email domains on the Identity & Provisioning page. This associates the email domain with your ChatGPT Enterprise workspace. Learn more about domain verification for ChatGPT Enterprise.

Provisioning

By default, workspace owners and admins provision users by inviting them through the ChatGPT Enterprise Members page.

To automate the provisioning process, workspace owners can configure the following options on the Identity & Provisioning page:

Workspace owners can optionally disable external domain invites to block invitations to users with an email address which is not associated with a verified domain.

Email invitations and account migrations

When a user is invited into your ChatGPT Workspace, either manually or via SCIM provisioning, OpenAI will send them an invitation email by default (see this article for cases when an email will not be sent). If the user has an email address matching a verified domain, the user will automatically be added to the workspace whether they accept the invite link in their email or log in through chatgpt.com

If an invited user with an email address matching a verified domain has an existing Free or Plus ChatGPT account, they will be prompted to migrate their account to the Enterprise workspace upon accepting the invitation. Users can choose to transfer their existing data to the Enterprise workspace, or to export and delete their data. ChatGPT Plus subscriptions are automatically canceled as part of the migration process.

If an invited user has an existing Free or Plus ChatGPT account associated with an email address which does not match a verified domain, they will not be prompted to migrate their account and can keep both their personal account and their access to the Enterprise workspace.

Account migration workflow displayed to users in the ChatGPT Enterprise UI

Account migration workflow displayed to users in the ChatGPT Enterprise UI.

Authentication

By default, users authenticate with OpenAI using an email address and password, or by using Social login (Google, Microsoft, or Apple).

To further secure the authentication process, workspace owners can configure the following Single Sign-On (SSO) on the Identity & Provisioning page:

  • Enable SSO - Users who have been provisioned in the workspace and who have an email address associated with a verified domain are able to authenticate via the integrated Identity Provider (IdP). Enabling SSO has the effect of disabling password-based authentication for these users. Social login via Google, Microsoft, and Apple is still supported.

  • Enforce SSO - Has the additional effect of disabling Social login for users who have been provisioned in the workspace and who have an email address associated with a verified domain.

Enabling or enforcing SSO by itself does not impact the experience of the following types of users:

  • ChatGPT Free & Plus users with an email matching a verified domain who are not provisioned in the workspace. These users can continue to access their personal ChatGPT accounts after SSO is configured.

  • ChatGPT users with an email domain which does not match a verified email domain but who are provisioned in the workspace. These users can continue to access the ChatGPT Enterprise workspace via password-based or Social login methods.

Configuring SSO across OpenAI products

Your ChatGPT Enterprise workspace and OpenAI API Platform organizations share a single SSO connection with your IdP. As a result, domain verifications and SAML SSO settings are shared between products. If you have already configured SSO in your API Platform organization, verified domains and SAML SSO settings will be pre-populated in ChatGPT. The reverse is also true.

Any changes you make to these settings in one product will be reflected in the other product.

Only certain SSO configurations across products are supported:

API Platform SSO enabled

API Platform SSO disabled

ChatGPT SSO enabled

Newly-provisioned users are unable to log in to the ChatGPT Enterprise workspace

ChatGPT SSO disabled

Note: Enabling SSO in your ChatGPT workspace will also enable SSO for associated OpenAI API Platform organizations.

Recommended identity and provisioning patterns

ChatGPT Enterprise gives you the flexibility to mix and match identity and provisioning options. The most common patterns are provided for reference.

Provisioning

Authentication

User experience

Opt-in access

Any user who authenticates with an email address associated with a verified domain will be automatically provisioned in your workspace.

Automatic Account Creation

Password or Social

Upon signing up for or logging into a Free or Plus account, users will be prompted to migrate to the Enterprise workspace.

SSO with manual invites

Users who are manually invited to the workspace can authenticate with SSO.

Manual

SSO Enabled or Enforced

Users can continue to sign up for or log into Free and Plus accounts.

After being invited into the Enterprise workspace, users will be prompted to migrate their existing Free or Plus account.

SSO with Automated Account Creation

Any user who authenticates with an email address associated with a verified domain will be automatically provisioned in your workspace and can subsequently authenticate with SSO.

Automatic Account Creation

SSO Enabled or Enforced

Upon signing up for or logging into a Free or Plus account, users will be prompted to migrate to the Enterprise workspace.

Note: users without the ability to authenticate via the IdP will be unable to log into ChatGPT after migrating to the Enterprise workspace.

SSO with SCIM

Users who are a member of a specified IdP group are automatically invited to workspace and can subsequently authenticate with SSO.

SCIM

SSO Enabled or Enforced

Users can continue to sign up for or log into Free and Plus accounts.

Upon being added to the specified IdP groups, users receive an invitation email and are prompted to migrate their existing Free or Plus account.

Did this answer your question?