Skip to Content
TutorialsEnterprise Setup

Enterprise Setup

Configure SAML SSO and SCIM provisioning for your enterprise.

SSO requires a Business plan or higher. SCIM provisioning requires an Enterprise plan. View plans

Prerequisites

  • Business plan (for SSO) or Enterprise plan (for SCIM)
  • Admin role in your organization
  • Access to your identity provider admin console

Part 1: SAML SSO Configuration

Get Penvio SAML Details

  1. Go to OrganizationSecuritySAML SSO
  2. Note these values:
    • Entity ID (SP)
    • ACS URL
    • Logout URL

Configure Your IdP

The steps vary by provider. Here’s a general guide:

In Okta:

  1. Admin Console → Applications → Create App Integration
  2. Select SAML 2.0
  3. Enter app name: “Penvio”
  4. Enter SSO URL (ACS URL from Penvio)
  5. Enter Audience URI (Entity ID from Penvio)
  6. Configure attribute statements:
    • email → user.email
    • firstName → user.firstName
    • lastName → user.lastName
  7. Save and get IdP metadata

In Azure AD:

  1. Enterprise Applications → New Application
  2. Create your own application
  3. Set up single sign-on → SAML
  4. Enter Entity ID and Reply URL
  5. Add attributes for email, name
  6. Download Federation Metadata XML

Configure Penvio

  1. Return to Penvio SAML settings
  2. Click Upload Metadata
  3. Upload the XML file from your IdP
  4. Click Save

Test SSO

  1. Click Test Connection
  2. You’ll be redirected to your IdP
  3. Sign in with an IdP account
  4. Should return successfully

Enable SSO

  1. Choose enforcement:
    • Optional: Users can use SSO or password
    • Required: All users must use SSO
  2. Click Enable

Part 2: SCIM Provisioning (Enterprise)

Enable SCIM

  1. Go to OrganizationSecuritySCIM
  2. Click Enable SCIM

Get SCIM Credentials

  1. Click Generate Token
  2. Copy the token (shown once)
  3. Note the SCIM base URL

Configure Your IdP

In Okta:

  1. Go to your Penvio app in Okta
  2. Provisioning tab → Configure API Integration
  3. Enable API Integration
  4. Enter SCIM base URL
  5. Enter Bearer token
  6. Test API Credentials

Enable provisioning features:

  • Create Users
  • Update User Attributes
  • Deactivate Users

In Azure AD:

  1. Go to your Penvio enterprise app
  2. Provisioning → Get started
  3. Select Automatic
  4. Enter Tenant URL (SCIM base URL)
  5. Enter Secret Token (SCIM token)
  6. Test Connection
  7. Configure mappings
  8. Turn Provisioning Status: On

Configure Attribute Mapping

Ensure these are mapped:

IdP AttributePenvio
emailuserName
givenNamename.givenName
surnamename.familyName
displayNamedisplayName

Assign Users

  1. In your IdP, assign users/groups to the Penvio app
  2. Users are provisioned automatically
  3. Check Penvio Members list to confirm

Part 3: Testing

Test SSO Login

  1. Sign out of Penvio
  2. Go to penvio.io/login
  3. Click Sign in with SSO
  4. Enter your organization slug
  5. Complete IdP login
  6. Should land in Penvio

Test Provisioning

  1. Assign a new user in IdP
  2. Wait for sync (usually 20-40 min)
  3. Check Penvio Members list
  4. New user should appear

Troubleshooting

SSO Login Fails

  • Check certificate expiration
  • Verify attribute mapping
  • Review IdP logs

Users Not Provisioned

  • Check SCIM token validity
  • Verify attribute mapping
  • Review IdP provisioning logs

What You Learned

  • Configure SAML SSO
  • Set up SCIM provisioning
  • Connect with identity providers
  • Test enterprise integrations

Next Steps

Last updated on
Team CollaborationOverview