Skip to main content
Stacklane

SSO + SCIM, the procurement-questionnaire surfaces, built once and audited often.

Two surfaces, one budget line on every enterprise contract. SSO proves who the user is; SCIM keeps the user list in sync with the buyer's identity provider. We build both against the same identity model so a new IdP integration is a config change, not a four-week project.

What we build

  • SAML 2.0 + OIDC under one abstraction

    The identity layer treats SAML and OIDC as transport details, not branching codepaths. New IdPs (Okta, Azure AD, Google Workspace, Auth0, Ping, JumpCloud) plug in through metadata XML or OIDC discovery; the application code below doesn't change.

  • SCIM 2.0 provisioning that survives partial syncs

    User and group sync via SCIM 2.0, idempotent on every operation. Deactivations land in real time; group membership changes propagate to role assignments. Partial syncs (one user fails) don't roll back the whole batch.

  • Just-in-time provisioning for the long tail

    When SCIM isn't an option (smaller customers, providers without SCIM support), JIT provisioning creates users on first SAML/OIDC login. Attribute mapping picks up department, role, and entitlements from the assertion.

  • Audit trails on every identity event

    Logins, role grants, group changes, SCIM operations, all written to the audit log with actor, target, before/after state, and IP. Customers can export their own slice for compliance reviews; the operator dashboard surfaces anomalies.

  • Tenant-level enforcement policies

    Per-tenant enforcement: require SSO for this customer (no password fallback), restrict to specific IdP domains, enforce SCIM-only user provisioning. The settings are tenant-scoped; the audit log proves they were on.

  • WorkOS or self-hosted, depending on the contract

    Most teams ship faster with WorkOS as the abstraction layer. Some enterprise contracts forbid third-party identity routing, we build the same surfaces against passport-saml + a SCIM library directly. The application code is identical either way.

Where this fits

  1. You're losing B2B deals on the procurement checklist because the IT team flagged 'no SCIM' or 'no SAML'.

  2. Your auth was built on Auth0 in 2022 and the customers asking for enterprise SSO want IdP attributes you can't map.

  3. You have SSO working for two customers and a third one wants Azure AD provisioning, and you don't have a generalised path.

Tech stack

  • TypeScript
  • SAML 2.0
  • OIDC
  • SCIM 2.0
  • WorkOS

Want this for your team?

30 minutes with a founder or senior engineer. We'll scope what you need and tell you straight whether Stacklane fits.

Book a Free Call