Enterprise SSO, SCIM, and setup guidance

One public entry point for NexinID's current enterprise federation story: supportable OIDC sign-in, SCIM lifecycle provisioning, setup diagnostics, and clear self-service boundaries.

Current Product Story

Enterprise identity setup is documented around the flows that are live today

NexinID's tenant portal and backend now expose enterprise connection management, setup diagnostics, and SCIM lifecycle controls. This page keeps the public wording aligned to that implementation instead of over-claiming generic enterprise readiness.

Supported now
Enterprise OIDC sign-in

Tenant admins can configure enterprise OIDC connection details, bind a matching provider key, apply just-in-time provisioning rules, and run diagnostics before rollout.

Supported now
SCIM lifecycle provisioning

Current SCIM support covers connection-scoped bearer tokens, user and group lifecycle, membership updates, PATCH (incl. deprovisioning), equality filtering, pagination, and one-time token rotation. See the conformance matrix.

Boundary
SAML runtime remains explicit

NexinID stores canonical SAML setup data and validates it through diagnostics, but host-side SAML assertion processing is still intentionally deferred and is not presented here as fully active browser sign-in.

Self-Service Path

How enterprise setup works today

1. Create the enterprise connection

Tenant admins use the portal to choose OIDC or SAML, store provider metadata, and define just-in-time membership defaults.

2. Run diagnostics before rollout

Connection diagnostics validate OIDC authority or metadata readiness, required identifiers and secrets, SAML setup completeness, JIT membership defaults, and SCIM token readiness.

3. Rotate and publish SCIM credentials if needed

If lifecycle provisioning is required, admins rotate a connection-specific bearer token once, capture it securely, and publish the connection-scoped SCIM base URL to their IdP.

4. Follow the provider guide

Okta, Microsoft Entra ID, Google Workspace, and generic provider paths all route through the same canonical enterprise federation guide so the buyer story and technical setup stay aligned. After sign-in is established, delegated authorization and entitlement checks follow the same tenant application model used everywhere else in NexinID.

What To Expect

Current self-service boundaries

  • OIDC enterprise sign-in: Supported through the existing external-login runtime with connection-specific JIT enforcement.
  • SCIM lifecycle: Supported for users, groups, and organization membership lifecycle using connection-scoped endpoints and bearer tokens, including PATCH (incl. active deprovisioning), equality filtering, and pagination.
  • Google Workspace provisioning: Google Workspace sign-in is supportable through OIDC, but Google-managed lifecycle provisioning is still treated as deferred unless an external bridge emits SCIM-compatible requests to NexinID.
  • Broader protocol breadth: bulk operations, sorting, ETag/versioning, and host-side SAML assertion consumption are an intentional subset — not claimed as complete. See the SCIM conformance matrix for the full supported/subset list.
Setup Guides

Canonical provider entry points

Each provider path below routes to the same enterprise federation guide so prospects, implementers, and support conversations all start from one current source of truth.

Okta

OIDC enterprise sign-in guidance, client details, diagnostics expectations, and SCIM setup notes for Okta-managed tenants.

Open Okta guide
Microsoft Entra ID

Tenant-specific issuer guidance, enterprise application setup, diagnostics readiness, and the current SCIM onboarding flow for Entra.

Open Entra guide
Google Workspace

Current supportable Google Workspace story for enterprise sign-in, plus the explicit lifecycle-provisioning boundary that avoids over-claiming one-click provisioning.

Open Google guide
Generic OIDC providers

Use this path for standards-based providers that expose issuer metadata, client credentials, and the external-login provider key needed for runtime binding.

Open generic OIDC guide
Generic SAML providers

Use this path when you need canonical SAML setup fields and diagnostics guidance while preserving the current public boundary that SAML runtime consumption is still deferred.

Open generic SAML guide
Operational Integrations

After connection setup, verify runtime and operational rollout

Enterprise setup and operational rollout are connected journeys. After SSO and SCIM setup, teams typically validate delegated authorization, entitlement-backed access checks, signed webhook delivery, replay behavior, and NDJSON export posture using the canonical implementation guides.

Open consumption guide Open audit webhook guide Open trust center
Need A Diligence Path?

Start with the guide, then bring the team in.

Review the canonical enterprise federation guide first. If your rollout depends on deployment controls, provider edge cases, or commercial onboarding, bring the NexinID team in with that same guide as the shared reference.