Skip to main content

SSO & SCIM (Enterprise)

PhishNet supports SAML 2.0 single sign-on and SCIM automatic provisioning for enterprise plans. Both are powered by WorkOS, which acts as a broker between PhishNet and your identity provider (IdP) — so regardless of whether your team uses Okta, Azure AD, Google Workspace, or another IdP, the setup process is the same.

What SSO gives you

  • One login for everything — employees sign in with their existing corporate credentials; no separate PhishNet password.
  • Centralised access control — revoke access from your IdP and it takes effect immediately.
  • Audit trail in your IdP — every PhishNet login appears in your identity provider's access logs.

What SCIM gives you

  • Automatic provisioning — new hires added to your IdP are automatically added to PhishNet.
  • Automatic deprovisioning — employees who leave are removed from PhishNet when offboarded in the IdP. No manual cleanup required.
  • Zero invite overhead — for SCIM-provisioned orgs, admins never need to send invites.

Setting up SSO

SSO setup is a one-time process that takes 10–15 minutes. You'll need admin access to both PhishNet and your identity provider.

Step 1 — Open the SSO configuration portal

  1. In the PhishNet admin dashboard, go to Enterprise → SSO & SCIM.
  2. Click Configure SSO.
  3. PhishNet opens the WorkOS Admin Portal in a new tab. This is a secure, WorkOS-hosted page — PhishNet never sees your IdP credentials or SAML certificates directly.

Step 2 — Connect your identity provider

Inside the WorkOS portal:

  1. Select your identity provider from the list (Okta, Azure AD, Google Workspace, etc.).
  2. Follow the on-screen instructions to configure the SAML connection in your IdP. The portal shows exactly what values to enter — Entity ID, ACS URL, and certificate format.
  3. Once configured, click Save in your IdP and return to the WorkOS portal.
  4. WorkOS validates the connection. When it succeeds, the portal shows a green "Connection active" status.
  5. Close the portal tab and return to PhishNet. The SSO & SCIM page now shows your connection as Active.

Step 3 — Claim your email domain(s)

After activating the connection, add every email domain your organisation uses:

  1. On the SSO & SCIM page, enter your domain (e.g. acme.com) in the Claimed email domains field and click Add.
  2. Repeat for any additional domains (e.g. acme.co.uk).

These domains are used for login routing: when a user types their work email on the PhishNet sign-in screen, PhishNet looks up which domain matches and redirects them to the correct SSO connection automatically. Users don't need to know anything about SAML — they just type their email address.


The SSO login experience

Once SSO is active, employees log in like this:

  1. Go to the PhishNet sign-in page and click Sign in with SSO.
  2. Enter their work email address (e.g. alice@acme.com).
  3. PhishNet looks up the domain, redirects to your IdP.
  4. The employee authenticates with their corporate credentials (including MFA if your IdP requires it).
  5. They land in PhishNet, signed in.

Employees do not need a separate PhishNet password. If their account has not been created yet, PhishNet creates it automatically on first SSO login.


Setting up SCIM

SCIM provisioning is set up from the same WorkOS portal used for SSO setup.

  1. On the SSO & SCIM page, click Enable SCIM.
  2. The WorkOS portal opens again, this time to the Directory Sync section.
  3. Follow the instructions to enable SCIM in your IdP and point it at the WorkOS endpoint URL and bearer token shown in the portal.
  4. Once saved, the SSO & SCIM page shows a SCIM badge next to the connection status.

From that point on, user lifecycle is managed entirely through your IdP:

IdP actionPhishNet result
Add user to IdPUser automatically added to PhishNet
Update user name or emailPhishNet account updated
Remove user from IdPUser removed from the PhishNet org

Removing SSO

To disconnect SSO:

  1. Go to Enterprise → SSO & SCIM.
  2. Click Remove.
  3. Confirm the prompt.

This removes the SAML connection and all claimed email domains. Members who joined via SSO retain their accounts but will need to set a password to continue accessing PhishNet.


Requirements

  • PhishNet Enterprise plan
  • Admin role in PhishNet
  • Admin access to your identity provider

Frequently asked questions

Can I have SSO and password login at the same time? Yes. SSO login and email/password login coexist. You can enforce SSO-only access by deactivating password login from your IdP (denying access to the PhishNet application for anyone not going through SSO).

What happens if the SSO connection goes down? Members who already have PhishNet accounts can sign in with email/password as a fallback. Contact support if you need to permanently recover access.

Can one PhishNet org have multiple SSO connections? No — each org maps to one WorkOS connection. If your company has multiple IdPs, use a federation layer (e.g. Okta as a hub) to merge them before pointing at PhishNet.