Airia supports setting up SSO for your organization using OpenID Connect (OIDC) and provisioning users & groups using SCIM 2.0.
Users
Roles and Permissions
The following table describes the roles and their default permissions| Role | Description |
|---|---|
| Platform Admin | Super administrator with access to all tenants and platform-level operations |
| Admin | Full administrator within a tenant |
| Read-Only Admin | Administrator with read-only access to tenant data |
| Security Admin | Administrator with credential management permissions |
| Project Admin | Project-level administrator with write access to assigned projects only |
| End User | Standard user with basic access |
Early Access: If your tenant has Custom Roles enabled, you can define your own roles with admin-selected permission sets in addition to the Default Roles above. See Custom Roles.
Project Admin Details
Project Admin is a role that provides administrative privileges scoped to specific assigned projects. When assigning a user as a Project Admin, Platform Admins or Admins must select the specific projects the user will have access to. Permissions and Capabilities:- Agent Development: Can build and deploy agents using components within their assigned projects
- Data Sources: Cannot create new data sources, but can add files to existing data sources within their projects
- Memory Objects: Can create and manage Memory objects within their projects
- User Prompts: Can create and manage User Prompts within their projects
- System Prompts: Cannot create or manage System Prompts
- Models: Cannot create or manage Models
- Tools: Cannot create or manage Tools
- Guardrails and Constraints: Can create new guardrails and constraints that are scoped to their assigned projects
- Feeds: Only see filtered activity feeds scoped to their assigned projects
- Platform Settings: No access to platform-wide settings aside from project-scoped API Keys and Credentials
Configure SSO:
Enter Your Identity Provider (IdP) Details
- Provide a friendly display name for your identity provider
- Create an OIDC app registration in your IdP (e.g., EntraID, Okta, Ping)
- Copy the redirect URI generated into your identity provider settings
- Enter the OIDC discovery endpoint in Airia to populate the URI
- Input your Client ID and Client Secret
- Specify the domains that should redirect to your IdP for authentication — these are your organization’s email domains (the part after
@in user email addresses, e.g.,yourcompany.com). Do not include the@symbol.
Enabling SSO, configures the Airia platform for JIT user provision. Ensure the OIDC app in the IdP has the appropriate users and groups.For Microsoft Entra integration, only OIDC v2 is supported.
To setup SCIM for automatic user and group provisioning from an identity provider:
For Entra customers, you will not need to configure custom attributes for groups.
Configure SSO Settings
Configure and test your SSO Settings as a prerequisite to SCIM 2.0 based provisioning.
Configure SCIM Connection
Copy the SCIM API endpoint and the secret token from your Airia tenant to the enterprise application in your IdP.
Configure Group Attributes
- Navigate to Group attribute mappings and ensure the group’s display name is mapped directly
- Add a custom attribute for ‘IdentityGroupName’ and map it to the group’s displayName
IdP provisioned Users and groups are managed in your IdP. The users and groups list view will reflect the source of the users and groups as ‘IdP’ to indicate they are not locally created in the Airia platform. Groups are set to read-only when provisioned via SCIM.
SCIM changes from your identity provider (including on-demand provisioning) are synchronized to the Airia platform on a 10-minute interval. After making changes in your IdP, allow up to 10 minutes for them to be reflected in Airia. Your IdP may report the provisioning operation as successful before the changes appear in the Airia console.