Documentation Index
Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
Use this file to discover all available pages before exploring further.
Single Sign-On (SSO)
Connect your identity provider (Okta, Microsoft Entra ID, Google Workspace, OneLogin, and more) so your team signs in to PromptGuard with your existing credentials. PromptGuard supports both SAML 2.0 and OIDC. You configure the connection yourself through a secure, hosted setup portal — PromptGuard never sees your IdP credentials.SSO and Directory Sync (SCIM) are Enterprise features. Talk to us to enable them for your organization.
How it works
- An organization admin opens the hosted setup portal from PromptGuard.
- In the portal, you connect your IdP (upload metadata / enter the SAML or OIDC details your IdP gives you).
- Your users sign in at PromptGuard and are redirected to your IdP to authenticate.
- On success, PromptGuard signs them in and (optionally) provisions their account.
Prerequisites
- An Enterprise PromptGuard organization.
- The Owner or Admin role in that organization.
- Admin access to your IdP (to create the SAML/OIDC application).
Set up SSO
Open the SSO settings
In the dashboard, go to Settings → SSO and click Configure SSO. PromptGuard opens a secure, hosted setup portal for your organization.
Connect your identity provider
In the portal, choose your IdP and follow its guided steps — create the SAML/OIDC application in your IdP, then paste the values back (or upload your IdP metadata). The portal validates the connection for you.
Set the allowed email domain(s)
Add the email domain(s) your employees use (e.g.
acme.com). This lets PromptGuard route those users to your IdP automatically at sign-in.How your users sign in
Once SSO is configured, members sign in one of two ways:- Automatic routing — they enter their work email on the PromptGuard login page; if the domain matches your configured domain, they’re sent to your IdP.
- Direct SSO link —
https://app.promptguard.co/auth/sso/<your-org-slug>/authorize. Share this with your team or wire it into your IdP’s app launcher.
Provisioning behavior
| Situation | What happens |
|---|---|
| New user, auto-provision on | An account is created and added to your organization as a Member on first SSO login |
| New user, auto-provision off | Login is refused until the user is invited to the organization |
| Existing PromptGuard user, already a member | Signed in via SSO |
| Existing user, not yet a member | Login is refused — they must be invited (or sign in with their existing method) first |
Security
- IdP credentials are entered only in the hosted setup portal — never stored in or visible to PromptGuard.
- Sessions use short-lived, revocable tokens (1-hour access, 7-day refresh).
- Pair SSO with Directory Sync so deprovisioning in your IdP immediately revokes PromptGuard access.
Troubleshooting
Login fails with “domain not allowed”
Login fails with “domain not allowed”
The user’s email domain isn’t in your SSO configuration. Add it in Settings → SSO.
Login fails with “link required”
Login fails with “link required”
The user already has a PromptGuard account that isn’t a member of your org. Invite them to the organization (Settings → Team), or have them sign in with their existing method and then connect SSO.
Users aren't created automatically
Users aren't created automatically
Auto-provisioning is off, or your domain isn’t configured. Enable auto-provision and confirm the domain, or use Directory Sync to provision from your IdP.
Next steps
Directory Sync (SCIM)
Auto-provision and deprovision members from your directory.
Organizations & Teams
Roles, members, and project-level access.