SSO & SCIM
DriftWise supports SAML-based Single Sign-On and SCIM user provisioning via Casdoor as the identity broker. SSO is available on Team and Enterprise plans. SCIM requires Enterprise.
Setting Up SAML SSO
1. Get your IdP metadata
From your identity provider (Okta, Azure AD, Google Workspace, etc.), obtain:
- IdP Metadata URL — the SAML metadata endpoint
- IdP Entity ID — the issuer identifier
2. Configure in DriftWise
curl -X PUT "https://app.driftwise.ai/api/v2/orgs/$ORG_ID/sso-config" \
-H "x-api-key: $DRIFTWISE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"idp_metadata_url": "https://login.microsoftonline.com/.../federationmetadata/2007-06/federationmetadata.xml",
"idp_entity_id": "https://sts.windows.net/your-tenant-id/"
}'
3. Configure your IdP
Point your identity provider's SAML app to DriftWise's service provider:
| IdP field | Value |
|---|---|
| ACS URL | Provided by DriftWise during setup |
| Entity ID | Your org's SP entity ID in Casdoor |
| Name ID format |
Viewing current config
curl "https://app.driftwise.ai/api/v2/orgs/$ORG_ID/sso-config" \
-H "x-api-key: $DRIFTWISE_API_KEY"
{
"enabled": true,
"idp_metadata_url": "https://...",
"idp_entity_id": "https://...",
"scim_endpoint": "https://casdoor.driftwise.ai/api/scim/your-org-id"
}
The scim_endpoint field only appears if your plan includes SCIM.
SCIM Provisioning
SCIM automates user lifecycle management — when users are added or removed in your IdP, those changes sync to DriftWise automatically.
Endpoint: The scim_endpoint from your SSO config response.
Configure this URL in your IdP's SCIM provisioning settings. SCIM supports:
- User creation (auto-joins the org)
- User deactivation (removes access)
- Group sync (maps to DriftWise roles)
SCIM is available on the Enterprise plan only. Team plan SSO config responses omit the scim_endpoint field.
Federation Info
Platform admins can retrieve OIDC federation details for configuring cloud provider trust:
curl "https://app.driftwise.ai/api/v2/federation-info" \
-H "Authorization: Bearer $OIDC_TOKEN"
/api/v2/federation-info rejects API key authentication. The caller must present an OIDC JWT from a platform administrator — API keys return 403.
{
"issuer_url": "https://driftwise.ai",
"subject": "system:serviceaccount:driftwise:scan-worker",
"audience": "https://driftwise.io/federation",
"service_account_email": "[email protected]"
}
Use these values when setting up OIDC Federation trust policies in AWS, GCP, or Azure.
Plan Requirements
| Feature | Team | Enterprise |
|---|---|---|
| SAML SSO | Yes | Yes |
| SCIM provisioning | - | Yes |
Requests to SSO endpoints on the Free plan return 402 Payment Required.