Enterprise-Ready: SSO, SCIM, and Identity Management Are Live

Why enterprise identity matters for secrets management

Your secrets manager holds the keys to every service your team depends on — databases, payment processors, third-party APIs, internal services. If someone leaves the company and their access isn't revoked instantly, those secrets are at risk.

That's why enterprise identity management isn't a nice-to-have. It's the difference between "we'll clean it up manually" and "access was revoked the moment HR deactivated their account."

Today we're announcing full enterprise identity support in secr: SAML SSO, OIDC, SCIM directory provisioning, social login, MFA, and passkeys — all powered by WorkOS.

What shipped

SAML & OIDC single sign-on

Connect secr to your existing identity provider — Okta, Azure AD, Google Workspace, or any SAML 2.0 / OIDC-compliant IdP. Your team signs in with their corporate credentials. No separate password to manage, no separate account to provision.

SSO is configured at the organization level. Once enabled, all members authenticate through your IdP. Session policies, conditional access rules, and login restrictions from your IdP are enforced automatically.

SCIM directory provisioning

SCIM (System for Cross-domain Identity Management) automates the entire user lifecycle:

• Provision: When someone joins your team in Okta or Azure AD, they're automatically added to secr with the correct role.
• Update: Role changes in your directory are synced to secr.
• Deprovision: When someone leaves, their secr access is revoked immediately. No manual cleanup, no forgotten accounts.

This means your security team can enforce a single source of truth for who has access to secrets — your identity provider.

Social login

For teams that don't need full SSO, we now support Google and GitHub social login. One click, no password. Available on the Team plan and above.

MFA & passkeys

Multi-factor authentication and passkey support add an extra layer of protection. Admins can enforce MFA across the organization, ensuring that even if a password is compromised, secrets stay safe.

Passkeys use the WebAuthn standard — biometrics or hardware keys, no TOTP codes to fumble with.

CLI device flow

The CLI now supports SSO-aware login. When you run secr login, you'll be redirected to your IdP in the browser. Once authenticated, the CLI session is established automatically. No API keys to copy-paste, no tokens to manage manually.

$ secr login
Opening browser for SSO authentication...
Authenticated as alice@acme.com via Okta

How SCIM works in practice

Here's what the flow looks like for a typical Okta setup:

1. Admin configures SCIM in the secr dashboard under Organization Settings.
2. Okta pushes user events to secr's SCIM endpoint — creates, updates, and deactivations.
3. secr maps directory groups to roles — you define which groups get admin, developer, or viewer access.
4. When someone is deactivated in Okta, their secr sessions are revoked and their access is removed within seconds.

The same flow works with Azure AD and Google Workspace. Any SCIM 2.0-compliant directory will work.

Why WorkOS

We evaluated building SSO and SCIM from scratch. It's a significant undertaking — SAML XML parsing, SCIM endpoint compliance, IdP-specific quirks, and ongoing maintenance as providers update their implementations.

Instead, we chose WorkOS — the same identity infrastructure used by Vercel, Perplexity, and Cursor. WorkOS handles the IdP integration layer, and we handle the session management, role mapping, and access control within secr.

The result: enterprise-grade identity support without the 6-month engineering detour.

Getting started

Enterprise plan: SSO (SAML & OIDC), SCIM, MFA enforcement, and passkeys are available on the Enterprise plan. Contact us to get started.

Team plan: Social login (Google & GitHub) is included.

All plans: MFA and passkey support is available for individual accounts on every plan.

If you're already on the Enterprise plan, head to Organization Settings in the dashboard to configure SSO and SCIM. If you're evaluating secr for your team, reach out — we'll walk you through the setup.