Skip to main content

Setting up SSO and Directory Sync

Connect your identity provider for single sign-on and automatic user provisioning, set up Admin and Member directory groups, sync job titles, and map groups to access roles.

Written by Ky Shera-Jones

🔒 Permissions: Only Admins can set up SSO and Directory Sync, from Workspace Admin → Security & Access. Learn more about roles →

Single Sign-On (SSO) lets your team sign in to Minikai with the work credentials they already use, and Directory Sync keeps your user list in step with your identity provider, so people are given access when they join and have it removed when they leave. Setting both up well means less manual user management for your admins and a cleaner audit trail. This guide covers connecting your provider, setting up Admin and Member groups, syncing job titles, and mapping groups to access roles.

When to use this

  • You're rolling Minikai out to a large team and don't want to invite and manage everyone by hand.

  • Your organisation already uses an identity provider like Microsoft Entra ID, Okta, or Google Workspace, and you want staff to sign in with their existing login.

  • You want joiners and leavers handled automatically, so access follows your directory and offboarding is reliable.

  • Your IT team manages access centrally and wants to control who can do what from the directory rather than inside Minikai.

How it works

There are two separate pieces, and most organisations use both together:

  • SSO controls how people sign in. They authenticate with your identity provider instead of a Minikai password.

  • Directory Sync (SCIM) controls who exists in your workspace and which groups they belong to. Your directory becomes the source of truth for user accounts.

You set both up from one place: Workspace Admin → Security & Access. Each has its own card with a guided setup that walks you through connecting your provider.

Step 1: Open Security & Access

Click your workspace name at the top-left of the sidebar, select Workspace Admin, then choose Security & Access under Access Management in the left sidebar. This is where SSO, Directory Sync, domain verification, and audit log streaming all live.

Step 2: Set up Single Sign-On

On the Single Sign-On card, select Set up SSO and follow the guided steps. You'll be asked to choose your identity provider; Minikai supports the major providers, including Microsoft Entra ID, Okta, and Google Workspace, over both OpenID Connect and SAML.

💡 Choose OpenID Connect where you can: Type "OpenID" in the provider search to see the OpenID Connect options, and pick the one for your provider, for example Entra ID OpenID Connect for Microsoft. Avoid the plain Entra ID (Azure AD) entry at the top of the unfiltered list, which uses SAML. OpenID Connect syncs job titles automatically; with SAML you'll need to map the job title attribute by hand (covered in Step 5).

The setup flow gives you the details your provider needs and lets you test the connection before you turn it on. We recommend testing with one account before rolling SSO out to your whole team.

Step 3: Set up Directory Sync

On the Directory Sync card, select Set up directory. You'll see the Select your identity provider screen; search for your provider (Okta, Entra ID, Google Workspace, and others are supported, along with Custom SCIM for anything else) and follow the guided steps to connect your directory.

Once connected, the users and groups you assign to Minikai in your provider are created in your workspace automatically, and removing someone in your directory removes their access here.

Step 4: Create separate Admin and Member groups

This is the step that is easiest to get wrong. In your identity provider, create two groups for Minikai, for example "Minikai Admins" and "Minikai Members", and assign people to the group that matches the access they need. Once your directory is connected, the setup shows your synced groups with a role dropdown beside each; map each group to the matching Minikai role.

If you put everyone in a single group, everyone receives the same role. Most often that means a workspace full of Admins, or a workspace where nobody has the access they need.

💡 Tip: If a synced user isn't in any mapped group, they're given the default Member role, which has no access to records or Minis until permissions are assigned. A user in several mapped groups receives all of those roles. Plan your groups before you switch Directory Sync on.

Step 5: Sync job titles

Job titles are useful in Minikai: admins can filter and assign permissions in bulk by job title, which saves a lot of time on larger teams. How job titles sync depends on how you connect:

  • Directory Sync or OpenID Connect SSO: job titles sync automatically. There's nothing extra to set up, the title comes across with each user.

  • SAML SSO: SAML doesn't send job titles by default. You need to add an attribute mapping (called a claim in Microsoft Entra ID) so the title is included.

To map job title for a SAML connection in Microsoft Entra ID:

  1. In the Microsoft Entra admin centre, open your Minikai enterprise application and go to Single sign-on → Attributes & Claims → Add new claim.

  2. Set Name to job_title, leave Namespace empty, set Source to Attribute, and choose user.jobtitle as the Source attribute.

  3. Save, then have a user sign in again so the updated attribute comes through.

Other providers have an equivalent screen (often called attribute statements or attribute mappings); send the directory's job title field as job_title.

Advanced: mapping groups to access roles

Beyond Admin and Member, you can map directory groups to workspace-wide access roles so the right access is granted automatically as people are provisioned. This is helpful for larger rollouts where IT wants to manage access centrally from the directory.

For example, you might create a directory group that maps to Record All Viewer (view all records) or Mini All Editor (edit all Minis), and assign staff to the group that fits their role. See App roles and permissions for what each role grants.

To set this up, create one directory group per access role you want to use, then map each group to its role under Role assignment in the Directory Sync configuration. Assign each person to the groups that match their access.

ℹ️ Good to know: When an access role is granted through a directory group, that role is managed in your identity provider. To change it, update the person's group membership in your directory rather than in Minikai, so the change isn't overwritten on the next sync. Per-record and per-Mini label access is still managed inside Minikai, see Fine-Grained Access Controls.

⚠️ Let your directory be the source of truth: Once Directory Sync is on, provision and remove people through your directory, not by manual invite. A manually invited user won't be covered by your directory's offboarding, which can leave access in place after someone has left.

Tips for a smooth setup

  • Test with one account first. Confirm sign-in and the assigned role work before rolling out to everyone.

  • Decide your groups up front. Map out which directory groups map to which roles before you switch sync on.

  • Keep group names clear. Names like "Minikai Admins" and "Minikai Members" make it obvious who gets what.

Need help?

Setting up SSO and Directory Sync is something we're glad to do alongside you. One of our team can walk your IT admins through it for your specific provider. Message us through the Help Desk in the app or email [email protected], and we'll help you get it right.

Related Articles
App roles and permissions
Did this answer your question?