Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.baseten.co/llms.txt

Use this file to discover all available pages before exploring further.

Single sign-on (SSO) lets your organization control access to Baseten through your existing identity provider (IdP). Once SSO is enabled, every sign-in to your Baseten organization routes through your IdP, and any user provisioned for Baseten in your IdP can sign in automatically.
SSO is available on the Enterprise plan. Contact support to enable SSO for your organization.

How SSO works

When SSO is enabled for your organization, sign-ins are routed to a hosted login page that delegates authentication to your IdP and returns the user to Baseten on success. You don’t run anything on Baseten’s side. Once your IdP connection is configured, Baseten reads the authenticated identity and either signs the user in or provisions a new user account on the fly.

Supported identity providers

Baseten supports any SAML 2.0 IdP through WorkOS, including:
  • Okta
  • Google Workspace
  • Microsoft Entra ID (Azure AD)
For the full list and IdP-specific setup steps, see the WorkOS SSO integration docs.

Enable SSO for your organization

To enable SSO, contact support with:
  • Your Baseten organization name.
  • The email address of the person who configures SSO (usually an IT admin).
  • The email domain or domains your users sign in with.
Support sends you a one-time link to the SSO admin portal with step-by-step instructions for configuring your IdP. Once the connection is verified, SSO is required for all sign-ins to your organization.

Just-in-time provisioning

When a user signs in to Baseten through SSO for the first time, Baseten provisions a user account for them automatically, or just-in-time. Just-in-time provisioned users:
  • Join your organization with the Member role.
  • Are added to the default team with the Team Member role.
Members can deploy and call models. They can’t manage organization settings, billing, or other users. To grant a user a different role, an Admin can update their role in Organization settingsMembers after the first sign-in. Admins can also invite users directly to assign them specific roles in advance. The invitee still needs to sign in through SSO when opening the invite link.

Enforcement

Once SSO is enabled for your organization, every sign-in to Baseten goes through your IdP. If you need to disable SSO enforcement and re-enable signing in by email or OAuth, contact support.

SSO with multiple teams

When teams are enabled for your organization, JIT-provisioned users land in the default team as Team Members. To assign users to other teams or to grant team-admin roles, an Organization Admin can update their team membership manually.

Considerations

  • SSO is enabled at the organization level. You can’t selectively enable it for individual users or teams within an organization.
  • Email domains must match the domains configured in your IdP connection. Users with email addresses outside your configured domains can’t sign in through SSO.
  • If a user is removed from your IdP, they lose access to Baseten on their next sign-in attempt because authentication fails.