SSO SAML cloud cost management
Bind a per-tenant Auth0 Enterprise Connection (Okta, Azure AD, Google Workspace, Ping, OneLogin, generic SAML/OIDC), claim your email domains, and optionally enforce SSO so personal credentials are rejected. Provision and deprovision members automatically with a SCIM 2.0 bearer token your IdP rotates.
Most FinOps tools either skip SSO entirely or sell a single shared Auth0 connection across all customers — which means your IdP can’t actually own the lifecycle of your users. Lumicost binds each workspace to its own Auth0 Enterprise Connection, routes logins by claimed email domain, and exposes a SCIM 2.0 endpoint so your Okta / Azure AD / Google Workspace deprovisions seats the moment someone leaves. SAML, OIDC, and JIT user creation all work out of the box.
Bind your workspace to a dedicated SAML or OIDC connection — Okta, Azure AD, Google Workspace, Ping, OneLogin, JumpCloud, generic SAMLp. No shared multi-tenant connection. Owner / Admin role required to configure.
List the email domains your tenant owns (acme.com, corp.acme.com). Logins from those domains are routed straight to your Identity Provider — no connection picker, no leaked tenant boundary.
Flip a single toggle to block any login that didn’t come through your bound connection. Personal Google or password tokens are rejected at the API gateway, even if the user previously had a session.
Generate a per-tenant SCIM token, paste it into Okta / Azure AD / OneLogin, and your IdP becomes the source of truth for memberships and roles. Rotate or disable the token from the UI; the previous token revokes immediately.
Every config change (binding, domain claim, enforcement toggle, SCIM rotation, SCIM-driven member create/update/delete) emits a row to the same append-only audit log used by SOC 2, ISO 27001, HIPAA, FedRAMP and the SIEM exporter. Your auditor and your SOC see the exact same events.
Your own. Each tenant binds to a dedicated Auth0 Enterprise Connection that you (or we) configure once on the Auth0 dashboard. There is no shared SSO pool — your IdP metadata, certificates, and claim mappings are isolated per workspace.
Anything Auth0 Enterprise supports: SAML 2.0, OIDC, WS-Federation. That covers Okta, Azure AD / Entra ID, Google Workspace, Ping Identity, OneLogin, JumpCloud, ADFS, and any generic SAMLp IdP. We do not require a specific vendor.
From /settings/sso you generate a SCIM bearer token (the plaintext is shown once). You paste it into your IdP’s SCIM app config along with the SCIM endpoint URL we expose. Your IdP then drives Users (POST/PATCH/DELETE) and optionally Groups → Lumicost roles. Rotating the token revokes the previous one immediately.
Enforcement only blocks logins for the bound tenant. The original Owner who configured SSO can disable enforcement from the UI as long as they hold a valid Lumicost session, and our support team can break-glass-disable enforcement on request from a verified billing contact. We recommend keeping at least one Owner with a recovery path before enabling enforcement.
Connect read-only credentials, get your first insights in 24 hours.