One Login for All Your AI Tools

Enterprise users don’t want another password. They want AI tools that work with their existing identity system.

Calliope integrates with your SSO provider.

Why SSO Matters

For users:

• One login, not another password
• Seamless access
• MFA they already use

For IT:

• Centralized user management
• Provision/deprovision in one place
• Consistent security policies

For compliance:

• Access controlled through approved IdP
• Audit trail back to enterprise identity
• Policy enforcement consistent with other systems

Supported Providers

Calliope integrates with:

SAML 2.0:

• Okta
• Azure AD
• OneLogin
• Ping Identity
• Google Workspace
• Any SAML 2.0 compliant IdP

OpenID Connect:

• Azure AD
• Google
• Okta
• Auth0
• Keycloak

Integration Process

1. Configuration exchange

• Export IdP metadata
• Import into Calliope
• Configure attribute mapping

2. Test flow

• Attempt SSO login
• Verify user creation
• Check attribute mapping

3. Enable for users

• Switch to SSO-only (optional)
• Communicate to users
• Monitor adoption

Attribute Mapping

Map IdP attributes to Calliope:

Required:

• Email (unique identifier)

Recommended:

• First name
• Last name
• Department/team
• Groups/roles

Groups can map to Calliope permissions for automatic role assignment.

Provisioning Options

Just-in-Time (JIT):

• User created on first login
• Attributes synced from IdP
• No upfront provisioning needed

SCIM provisioning:

• Users synced before first login
• Automatic deprovisioning
• Group membership synced

Manual:

• Admin creates users
• SSO used for authentication only

Group-Based Access

Map IdP groups to Calliope permissions:

Example:

• IdP group “engineering” → Calliope role “developer”
• IdP group “data-team” → Calliope role “analyst”
• IdP group “leadership” → Calliope role “viewer”

Access managed in your IdP, enforced in Calliope.

Security Considerations

MFA: Enforced through your IdP—Calliope respects IdP MFA.

Session management: Configurable session timeout. Single logout support.

Conditional access: IdP policies (location, device, risk) apply.

Deprovisioning

When users leave:

With SCIM: Disable in IdP → Automatically disabled in Calliope

With JIT: Disable in IdP → Next login fails → Admin cleanup

Immediate revocation: Admin can disable directly in Calliope if urgent

Troubleshooting SSO

Login fails:

• Check IdP configuration
• Verify attribute mapping
• Check certificate validity

User not created:

• Check required attributes present
• Verify JIT provisioning enabled
• Check IdP sending correct assertion

Wrong permissions:

• Verify group membership
• Check group-to-role mapping
• Confirm IdP sending groups attribute

The SSO Integration Checklist

Setting up SSO:

• IdP configuration exported
• Calliope SSO settings configured
• Attribute mapping defined
• Test login successful
• Group mapping configured (if using)
• Provisioning strategy decided
• Users notified of SSO availability

One identity. All AI tools.

Set up SSO for Calliope →