SSO
SSO controls this experience for the end user
“Authentication” or “Login”
SCIM allows admins to automatically do this during the workspace set up process
Provision seats/invite users
Even if a user successfully authenticates with their IdP, their login will fail if this condition isn’t met.
Membership in an authorized workspace or organization
Before SSO can be configured in a workspace or org, this process must be completed to prove domain ownership.
Domain Verification
A common cause of one user appearing as two distinct users in a workspace
1. User changed email address
2. Domain migration
The shared unique identifier between ChatGPT and API Platform which is used for authentication
Org-ID
True or False: You must have SSO enabled to use SCIM provisioning.
FALSE
When enabled, this setting blocks users with a verified domain from logging in with password or social methods.What is Enforce SSO?
Enforce SSO
Training on data
A common cause of one user appearing as two distinct users in a workspace
1. User changed email address
2. Domain migration
The page admins use to set up SSO in ChatGPT or the API Platform
Identity page
Explanation to the question "Where did these new users come from? I didn't invite them!"
AAC (automatic account creation) is enabled
Reason a Personal/Plus account is automatically merged into the Enterprise workspace upon login even though user didn't receive an invite email
AAC is enabled
This is the reason you must verify engineering.company.com separately from company.com.
subdomains must be verified independently
Can cause user's names to show up as email addresses when missing or mismatched
Attribute Mappings
An SSO scenario we do not easily support
HINT: IDP / DOMAIN
Multiple IDPs, single domain
When this feature flag is enabled, SCIM should be disabled as a best practice.
Automatic Account Creation
A user’s email was recently changed in their IdP (e.g., due to marriage or acquisition), but they can’t log in to OpenAI despite successful IdP authentication. Why?
The user’s old SAML profile in Auth0 is still mapped to their original email, and needs to be disassociated manually?
A requirement for enabling Domain Claiming
-70% knowledge workers purchased
-Regulated industry (ie FINRA or HIPAA)
-Commitment to enroll all existing personal users into Enterprise workspace
If a user logs in with SSO but sees their email used as their display name, it’s likely because this is missing from the SAML assertion.
What are the given_name and family_name attributes?
Reason a user may not be able to use Google or Apple to sign in anymore
SSO is enabled and enforced
Reason user may not be provisioned through SCIM despite being a part of the provisioning group in the idP.
Already exists in OpenAI via AAC or manual invite (SCIM skips existing users).
Verifying a domain in one Platform org will force SSO for all users with that domain across Platform, because Platform SSO is enforced at this level.
the domain level
This technical problem usually explains why OpenAI can’t read attributes from an otherwise valid SAML assertion.
encrypted assertions (which are not supported)