Skip to main content
Windmill supports SAML 2.0 single sign-on (SSO) so your team can authenticate through your company’s identity provider. Okta and Microsoft Entra ID are fully tested, and any SAML 2.0 compliant provider should work. You can optionally enable SCIM 2.0 to automate user provisioning and group sync from your identity provider.

Before you begin

You’ll need:
  • Admin access to your Windmill account
  • Admin access to your identity provider (Okta, Microsoft Entra ID, etc.)
Rippling requires exclusive control over user provisioning. If you connect Rippling, SCIM will be automatically disabled if it was previously enabled, and you won’t be able to enable SCIM while Rippling is connected.

Configure SAML SSO

Go to Settings > Security to begin the SSO setup wizard.
1

Copy your SP metadata

Windmill displays your Entity ID (Audience URI), ACS URL, and Login URL. Copy these values into your identity provider’s SAML application settings, or click Download SP Metadata XML to download the metadata file.The wizard also shows the expected attribute mappings (firstName → user.firstName, lastName → user.lastName) and the Name ID format (EmailAddress).
SSO wizard showing Entity ID, ACS URL, Login URL, and attribute mappings
2

Provide your IdP metadata

After configuring your identity provider, provide your SAML metadata so Windmill can recognize authentication requests. You can either paste a metadata URL or upload the XML directly.
SSO wizard showing URL and XML options for IdP metadata
3

Test your SSO connection

Click Test SSO to verify the connection. You’ll be redirected to your identity provider to authenticate. On success, you’ll see a confirmation in Windmill.

Activate SSO

Once you activate SSO, it’s enforced for all users. Google and Microsoft social login will be disabled. There is no fallback—if your identity provider goes down or SSO is misconfigured, no one (including admins) can log in until the issue is resolved. Test thoroughly before activating.
After a successful test, activate SSO to enforce it across your account. Once active, your security settings will show the SSO configuration details and a link to set up SCIM.
Security settings showing active SSO configuration with Service Provider and Identity Provider details
Once SSO is active, users who authenticate for the first time are automatically created in Windmill as team members. This means you don’t need to manually invite every user—they’re provisioned on first login.

Configure SCIM (optional)

SCIM (System for Cross-domain Identity Management) automates user provisioning and group sync from your identity provider. SCIM requires SSO to be active before it can be enabled.
1

Generate a SCIM token

In Settings > Security, generate a SCIM bearer token. Windmill displays the Secret Token and Tenant URL you’ll need for your identity provider.
This token is displayed once. Copy it immediately and store it securely. If you lose it, you’ll need to generate a new one and update your identity provider.
SCIM wizard showing the Secret Token and Tenant URL
2

Configure your identity provider

Paste the SCIM Tenant URL and Secret Token into your identity provider’s SCIM provisioning settings.
3

Enable SCIM provisioning

After configuring your identity provider, return to Settings > Security and toggle Enable SCIM provisioning to start syncing users automatically.
SCIM settings panel showing the Enable SCIM provisioning toggle

User provisioning

Users provisioned via SCIM are created as team members in Windmill. Only first name and last name are synced from your identity provider—both are strongly recommended in your IdP’s attribute mappings.

Group sync

Groups from your identity provider map directly to Windmill Groups. This lets you manage group membership at scale from your identity provider rather than manually in Windmill.

Deprovisioning

When a user is removed from your identity provider, they’re deactivated in Windmill. All of their data—reviews, feedback, notes—is preserved. If the user has access to a different Windmill account, that access is unaffected.

SAML attribute mappings

AttributeRequiredNotes
NameID (EmailAddress)YesUsed to identify the user
firstNameStrongly recommendedPopulates the user’s first name
lastNameStrongly recommendedPopulates the user’s last name
No custom attribute mapping is needed. Windmill only requires the NameID and recommends first and last name for a complete user profile.
Attribute paths vary by identity provider:
  • Okta: firstNameuser.profile.firstName, lastNameuser.profile.lastName
  • Microsoft Entra ID: firstNameuser.givenname, lastNameuser.surname

Best practices

  • Test SSO before activating. There’s no fallback if something goes wrong—verify the connection works with the Test button first.
  • Copy the SCIM token immediately. It’s only displayed once. If you lose it, you’ll need to generate a new one and update your identity provider.
  • Use SCIM groups to manage Windmill Groups. Managing group membership from your identity provider is easier than maintaining groups manually in Windmill.
  • Don’t enable both Rippling and SCIM. They’re mutually exclusive. If you use Rippling for provisioning, continue using Rippling.

FAQs

Contact Windmill support at support@gowindmill.com to have SSO disabled for your account.
Generate a new token from Settings > Security. You’ll need to update the token in your identity provider’s SCIM configuration afterward.
Verify that your identity provider is sending the NameID attribute in the SAML assertion. Check your IdP’s attribute release settings to make sure the required attributes are included.
SCIM and Rippling provisioning can’t be used together. Disconnect Rippling before enabling SCIM, or continue using Rippling to manage user access.