We’re pleased to announce that enterprise SSO user provisioning is now available for Enterprise company workspaces on RunDiffusion.
This Enterprise-only feature allows your identity provider (IdP) to automatically create, update, and deactivate users while also driving team and role membership from your IdP groups. Instead of managing every invite or permission change by hand, your workspace can stay aligned with your company directory automatically.
What This Release Enables
SCIM 2.0 Provisioning for Enterprise Teams
Enterprise customers can now connect Microsoft Entra ID (Azure AD) or another SCIM-capable identity provider to RunDiffusion using SCIM 2.0.
With SCIM provisioning enabled, your IdP can:
- Create new users automatically
- Update existing users and access details
- Deactivate users when they leave your organization
- Sync groups that can be mapped to RunDiffusion teams and roles
This gives Enterprise teams a more reliable way to keep access current without depending on manual onboarding and offboarding.
SSO and Provisioning Controls in One Place
The new SSO and User Provisioning page in RunDiffusion's Runnit Platform brings your key authentication and provisioning controls together in one place for Enterprise workspaces.
How to Access SSO and User Provisioning
You can access the new provisioning controls from your company workspace settings:
- Click your Account Icon, then open Company Dashboard
- Click Company Settings
- Click SSO and User Provisioning
The page also shows the navigation path clearly in the interface:
Company Dashboard → Company Settings → SSO and User Provisioning
What You Can Configure on the Page
SSO Configuration
At the top of the page, you can review your SSO (Single Sign-On) Configuration.
This section includes:
- An Identifier used for your SSO setup
- Your company Sign-On Link
- An Enforce SSO Authentication option
When SSO enforcement is enabled, the SSO login method becomes the only login method available to users in that company workspace. This helps Enterprise organizations standardize authentication and keep access tied to their identity provider.
If your company needs to change its identity provider, the page also includes an option to open a support ticket for help updating the SSO configuration.
User Provisioning Configuration
The User Provisioning Configuration section contains the settings needed to enable SCIM provisioning.
This area includes:
- A toggle to Enable User Provisioning (SCIM)
- Your SCIM Server Base URL
- A View tutorial button
- The SCIM Access Token section with a token generation or regeneration option
The interface also explains an important behavior change: once SCIM provisioning is enabled, your identity provider pushes user and group changes into RunDiffusion, and you will no longer make team member or role assignments manually inside RunDiffusion.
For Enterprise IT teams, that matters. Once provisioning is active, your IdP becomes the source of truth for user lifecycle changes and group-driven access.
Guided Setup Without Turning This Into a Full Tutorial
This article is meant to announce the feature and show admins where to find it, not replace the full setup documentation.
Inside the User Provisioning Configuration section, the page includes a View tutorial option under How to get started? That guided walkthrough shows your team how to:
- Connect your identity provider to the RunDiffusion SCIM server
- Use the SCIM server details correctly
- Map user groups to RunDiffusion teams and roles
For Microsoft Entra ID setup, readers can use the full walkthrough here:
How to Configure a New SSO Configuration with Microsoft Entra ID (Azure AD) | RunDiffusion
Learn how to configure Single Sign-On (SSO) for your Enterprise RunDiffusion account using Microsoft Entra ID (formerly Azure AD). Follow this step-by-step guide to integrate SAML-based SSO, streamline authentication, and secure access across your organization.
RunDiffusion Team
Team and Role Mapping
One of the most important parts of this Enterprise release is the ability to let your IdP groups drive access inside your RunDiffusion company workspace.
That means you can map external groups to:
- RunDiffusion teams
- RunDiffusion roles
This reduces permission drift and helps keep access aligned as employees join, change responsibilities, or leave.
For related background, see:
Company Roles in RunDiffusion: Guide to Company Administrator Permissions | RunDiffusion
Learn how Company Roles work in RunDiffusion, including Account Owner, Report Analyst, and company-level admin permissions.
RunDiffusion Team
Team Roles in RunDiffusion: Guide to Permissions and Controls | RunDiffusion
Learn what each Team Role option does in RunDiffusion, including token cooldown, generation permissions, and Open-Source App access.
RunDiffusion Team
Sync, Visibility, and Administrative Control
This release is designed to make provisioning more manageable for Enterprise admins.
Teams can benefit from:
- Manual and scheduled sync
- Sync preview before changes are applied
- Email notifications
- A detailed, audit-style changelog email
These capabilities give your organization better visibility into what changed, when it changed, and how those changes affect workspace access.
Why This Matters for Enterprise Teams
Enterprise teams need more than simple SSO. They need identity-driven access that scales with real organizational change.
With enterprise SSO user provisioning on RunDiffusion, you can:
- Reduce manual invites and account cleanup
- Keep onboarding and offboarding consistent
- Align workspace access with your central directory
- Push team and role changes from your IdP instead of managing them one by one
- Give admins more visibility into provisioning activity
For larger organizations, this creates a cleaner and more dependable access model.
Common Considerations Before Enabling SCIM
Before turning on provisioning, it helps to plan for a few operational details:
- Confirm which IdP groups should map to which RunDiffusion teams and roles
- Review whether your team is ready for the IdP to become the source of truth
- Test provisioning behavior before broad rollout
- Store and manage your SCIM token securely
- Decide whether Enforce SSO Authentication should be enabled immediately or introduced in stages
Enterprise Availability
SSO and User Provisioning is an Enterprise-only feature for RunDiffusion company workspaces.
If your organization needs centralized authentication, SCIM-based provisioning, and identity-driven team and role mapping, this feature is designed specifically for Enterprise administration and access control.
Get Started
To begin using enterprise SSO user provisioning in your Enterprise company workspace:
Open Company Dashboard
Go to Company Settings
Select SSO and User Provisioning
Review your SSO details. Enable SCIM provisioning when ready. Use the built-in View tutorial guide to complete setup and group mapping
This release gives Enterprise teams a scalable way to manage access on RunDiffusion, with your identity provider handling the user lifecycle and RunDiffusion reflecting those changes inside your workspace.
FAQ
Is SSO and User Provisioning available on all plans?
No. SSO and User Provisioning is an Enterprise-only feature for RunDiffusion company workspaces.
What identity providers are supported?
RunDiffusion supports Microsoft Entra ID (Azure AD) and other SCIM-capable identity providers using SCIM 2.0.
What does SCIM provisioning do?
SCIM provisioning allows your identity provider to automatically create users, update user details and access, deactivate users, and sync groups that can be mapped to RunDiffusion teams and roles.
What happens after SCIM provisioning is enabled?
Once SCIM provisioning is enabled, your identity provider pushes user and group changes into RunDiffusion, and you will no longer make team member or role assignments manually inside RunDiffusion.
Where do I configure SSO and provisioning settings?
You can access these settings from:
Account Icon → Company Dashboard → Company Settings → SSO and User Provisioning
What can admins configure on the SSO and User Provisioning page?
Admins can access the SSO identifier, company sign-on link, Enforce SSO Authentication option, SCIM Server Base URL, SCIM Access Token controls, and a guided tutorial for setup and group mapping.
What does Enforce SSO Authentication do?
When enabled, the SSO login method becomes the only login method available to users in that company workspace.
How do I set up SCIM provisioning?
RunDiffusion provides a built-in View tutorial option inside the SSO and User Provisioning page. For Microsoft Entra ID, readers can also use the full walkthrough here:
How to Configure a New SSO Configuration with Microsoft Entra ID (Azure AD) | RunDiffusion
Learn how to configure Single Sign-On (SSO) for your Enterprise RunDiffusion account using Microsoft Entra ID (formerly Azure AD). Follow this step-by-step guide to integrate SAML-based SSO, streamline authentication, and secure access across your organization.
RunDiffusion Team
Can I preview provisioning changes before syncing?
Yes. The platform includes sync preview before changes are applied.
Will admins receive notifications about provisioning changes?
Yes. RunDiffusion provides email notifications with a detailed, audit-style changelog email.
Can groups be mapped to teams and roles?
Yes. IdP groups can be mapped to RunDiffusion teams and roles.