Skip to main content
Single Sign-On (SSO) lets your entire team sign in to LLM Ops using your company’s existing identity provider (Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 / OIDC provider) — no separate passwords required. SSO is available on the Enterprise plan.

How SSO works

When SSO is enabled for your organization:
  1. A team member goes to Sign in page and enters their work email in the Enterprise SSO section of the sign-in box.
  2. They are redirected to your company’s login page (Okta, Azure, Google, etc.).
  3. They authenticate with their existing company credentials.
  4. They are automatically signed in to LLM Ops and land on the dashboard.
  5. If it is their first time signing in, their account is created automatically — no invitation needed.
Your team never needs to remember a separate LLM Ops password. Access is controlled entirely through your identity provider.

First time setup for the organizational owner

Follow these steps once to enable SSO for your organization.

Step 1 — Sign in

Signup with your company email on theSign in Go to Settings → Subscription → Billing inside the app and send us email by clicking through Upgrade - Contact Sales button. SSO requires the Enterprise plan.

Step 2 — Provide upgrade information for nterprise Subscription

Email sales@cloudidr.com with:
  • Your email, phone number and name
  • Your organization name inside LLM Ops
  • Your company email domain (e.g. acme.com)
  • Your identity provider (Okta, Microsoft Entra ID, Google Workspace, or other)
Our sales executive will contact you to determine the enteprise pricing based on your usage, users and deployment needs. After that, we will provision your SSO connection in WorkOS (our SSO provider) and send you an Admin Portal link .

Step 3 — Configure your identity provider

Open the Admin Portal link we send you. It will guide you through connecting your identity provider:
  • Okta — paste the metadata URL or upload the metadata XML
  • Microsoft Entra ID (Azure AD) — enter the tenant ID and client credentials
  • Google Workspace — follow the SAML app setup instructions
The Admin Portal is self-service. You do not need to share any credentials with us.

Step 4 — Test with one user

Before rolling out to the whole team:
  1. Go to Sign in
  2. In the Enterprise SSO section, enter your work email and click Continue with SSO
  3. Complete the login flow through your identity provider
  4. Confirm you land on the LLM Ops dashboard

Step 5 — Roll out to your team

Once the test succeeds, share the login URL with your team. There is nothing to install or configure on their end — they just enter their work email and click Continue with SSO.
Note: Existing team members who previously used email/password login can continue using that method. SSO and password login work side by side.

What your team members see

On the login page, the Enterprise SSO section sits below the main sign-in form: 
─────────────── Enterprise SSO ───────────────
        For Enterprise plan customers only

  [ work@yourcompany.com ]  [ Continue with SSO ]
They enter their work email and are redirected to your identity provider. After authenticating, they are brought straight to the dashboard.

Frequently asked questions

Do my team members need to be invited first? No. Any user who authenticates through your identity provider is automatically provisioned in LLM Ops as a member of your organization on their first login. What role do new SSO users get? New users are assigned the Member role by default. Admins can adjust roles inside the app under Settings → Team. Can I use both SSO and email/password? Yes. SSO and email/password logins work side by side. You can migrate your team gradually. What happens if our identity provider is down? Team members can still sign in using their email and password if they have one set. We recommend that at least one admin retains a password as a break-glass option. Can I restrict login to SSO only? Contact sales@cloudidr.com to discuss enforced SSO (password login disabled for your org).

Troubleshooting

”SSO is not set up for your organization yet”

SSO has not been activated for your domain. Complete Steps 2–3 in the setup sequence above, or contact sales@cloudidr.com.

”Your organization is not on the Enterprise plan”

Your account is on a lower plan. Upgrade to Enterprise under Settings → Subscription, then contact us to activate SSO.

”Please use your organization email address, not a personal one”

You entered a personal email address (e.g. gmail.com, yahoo.com). Use your company work email instead.

Redirected back to login with an error after authenticating

This usually means the identity provider configuration is incomplete. Check the following:
CheckWhat to verify
Metadata / certificateEnsure the IdP metadata is uploaded and not expired in the Admin Portal
Attribute mappingEmail, first name, and last name must be mapped in your IdP SAML/OIDC config
Assigned usersThe user must be assigned to the LLM Ops app in your IdP
Browser cookiesTry an incognito window to rule out stale session cookies
If the issue persists, copy the error message from the URL bar (?sso_error=...) and send it to support@cloudidr.com.

Login loop (redirected back to IdP repeatedly)

Clear your browser cookies for both llm-ops.cloudidr.com and your IdP domain, then try again in an incognito window.

New user not appearing in the team list after SSO login

The user’s account is created on their first successful login. Ask them to complete the login flow and then refresh Settings → Team.

Security notes

  • LLM Ops never sees or stores your identity provider credentials.
  • SSO tokens are short-lived and single-use (handled by WorkOS).
  • Your company remains in full control of access: removing a user from your IdP immediately prevents them from signing in via SSO.
  • All LLM Ops sessions use the same encrypted JWT tokens regardless of login method.

Contact

PurposeContact
Activating SSO / plan upgradesales@cloudidr.com
Technical issues during setupsupport@cloudidr.com
Identity provider configurationUse the Admin Portal link we provide