Skip to content
synthreo.ai

SSO and Auto-Provisioning

Register your SSO org identifiers in Canopy so matching users are provisioned automatically, enforce SSO sign-in, and manage the provisioned-user and deny lists.

Auto-provisioning registers a customer’s single sign-on (SSO) organization identifier so that matching users are created in Synthreo automatically the first time they sign in. You can also enforce SSO, so matching users must sign in through their provider rather than with a password.

These controls appear in two places, and work the same in both:

  • Your organization - in Settings, under “SSO and Auto-Provisioning” and “SSO Access”.
  • A child customer - on the customer’s SSO / Provisioning and SSO Access tabs. See Adding a New Customer.

A provisioning rule maps an SSO organization to your Synthreo tenant. Select Add rule and fill in the dialog:

FieldWhat to enter
NameA label for the rule (for example, “Contoso (Entra)”).
ProviderThe SSO provider. Microsoft (Entra) is supported.
IdentifierThe provider’s organization identifier. For Microsoft, this is the Directory (tenant) ID - the GUID shown under Microsoft Entra ID in the Azure portal (for example, 00000000-0000-0000-0000-000000000000).
Granted appsWhich apps provisioned users receive. ThreoAI is always included; Builder and Canopy are optional.
Create disabledSave the rule without applying it yet.

Select Create to save. Rules appear in the table with their name, provider, identifier, granted apps, created date, and enabled state.

Add Provisioning Rule dialog with Name, Provider, Identifier, and Granted apps fields


The Enforce SSO toggle stays off, and cannot be turned on, until at least one provisioning rule exists. Once a rule is in place, turn it on so that users matching a rule must sign in through their SSO provider.


The SSO Access view manages the users that auto-provisioning has created and the ones you want to keep out:

  • Active users - users auto-provisioned for this organization, with their email, provider, identifier, and when they were provisioned. Deny a user to block re-provisioning on their next sign-in.
  • Denied emails - the block list. Block email adds an address; the list shows when each was blocked and why. Allowing an email re-enables provisioning on that person’s next sign-in.