Enterprise Setup Docs

Enterprise setup

Supported sign-in and lifecycle provisioning

Enterprise setup guidance now lives inside the same documentation workspace as API reference, device trust, readiness, and FAQ.

Supported

Enterprise OIDC

Tenant admins configure OIDC connection details, provider binding, JIT defaults, and diagnostics before rollout.

Supported

SCIM lifecycle

Connection-scoped bearer tokens support user and group lifecycle, membership updates, PATCH (incl. active deprovisioning), equality filtering, and pagination. See the conformance matrix below.

Deferred runtime

SAML assertions

SAML setup data and diagnostics are supported, but host-side SAML browser sign-in is not claimed as complete.

SCIM 2.0

SCIM conformance — supported vs subset

Connection-scoped SCIM 2.0 (RFC 7644) under /scim/v2/enterprise-connections/{connectionId}. We state exactly what is supported and what is an intentional subset — no "maybe-supported" ambiguity.

Capability	Status
User & Group CRUD (GET / POST / PUT / DELETE)	Supported
`PATCH` — Users (incl. `active` deprovisioning) and Groups (member add / remove / replace)	Supported
Equality filtering — `userName eq`, `externalId eq`	Supported
Pagination — `startIndex` + `count`	Supported
Discovery — `ServiceProviderConfig`, `ResourceTypes`, `Schemas`	Supported
Per-connection bearer-token auth (rotatable)	Supported
Uniqueness conflict → `409` with `scimType=uniqueness`	Supported
Complex filters (`and`/`or`, `co`, `sw`, `pr`)	Subset
Bulk, sorting, ETag/versioning, `changePassword`, `/Me`	Not supported
Host-side SAML assertion runtime	Deferred

Provider guides

Setup paths and boundaries

Use these provider notes for buyer-facing setup guidance while keeping current runtime limitations clear.

Okta

OIDC sign-in and SCIM lifecycle setup

Create an Okta OIDC app integration, configure redirect URI and issuer metadata, then add a NexinID enterprise connection with the provider key used by the runtime.

Validate issuer, client ID, and client secret before rollout.
Use SCIM bearer token rotation for one-time secret capture.
SCIM PATCH and pagination are supported; bulk, sort, and ETag are an intentional subset.

Microsoft Entra ID

Tenant-specific OIDC and lifecycle provisioning

Use tenant-specific authority metadata, configure the redirect URI in Entra, and bind the NexinID enterprise connection to the matching provider key.

Run diagnostics after storing metadata and secrets.
Publish SCIM URL and token only after the connection is ready.
Provider-specific app gallery automation is not claimed as self-service.

Google Workspace

OIDC sign-in first, provisioning boundaries explicit

Google Workspace sign-in is supportable through OIDC provider setup. Broader Google-managed lifecycle provisioning should be treated as deferred unless an approved external bridge sends SCIM-compatible requests to NexinID.

Use generic OIDC metadata and a configured provider key.
Do not present Google lifecycle provisioning as one-click GA.
Document any bridge or connector as customer-specific unless productized.

Generic Providers

OIDC setup plus SAML setup-data boundaries

Generic OIDC needs issuer or metadata URL, client ID, client secret, redirect URI, provider key, allowed domains, and JIT membership defaults. Generic SAML setup can store entity ID, SSO URL, signing certificate reference, NameID format, and attribute mapping while runtime assertion consumption remains deferred.

OIDC sign-in is the current supportable browser sign-in path.
SAML setup data and diagnostics are public-safe to document.
Host-side SAML browser runtime is not presented as complete.