Guides
Start typing to search…

Control end-user access to agents via IdP

This guide explains how to let users from your Identity Provider (like Microsoft Entra ID or Okta) access specific agents without creating CustomGPT.ai user accounts.


📘

Prerequisites

  • The feature must be enabled on your plan. Contact sales if needed.
  • SSO must already be configured. See SSO setup.
  • The attribute must be set up on your IdP and will be used to map roles.

How it works

When you enable this feature:

  • You share a special portal login URL with external users
  • Users authenticate with your IdP (they don't need a CustomGPT account)
  • Your IdP sends an attribute (like department or group name)
  • CustomGPT matches that attribute to a user role you've created
  • The user gets a 24-hour session to chat with agents assigned to that role
🚧

Important

  • Users are not created in CustomGPT.ai. They remain anonymous and can only chat.
  • This feature currently works only with Share Link deployment.

Step 1: Create a user role

Before configuring the IdP connection, create the role that will be assigned to guest users.

  1. Go to Teams → Roles.
  2. Click Create Custom Role.
  3. Configure the role:
SettingValue
Role NameMust exactly match the attribute value your IdP will send
PermissionsChat Only (strongly recommended)
ScopeLocal (strongly recommended)
  1. In the Agents section, select which agents this role can access.
  2. Click Submit.
❗️

Critical

The role name must be an exact match to the attribute value from your IdP. If your IdP sends partner-support, your role must be named exactly partner-support.

Step 2: Enable IdP end-user access in CustomGPT

  1. In the bottom-left corner, click your profile icon to access profile options.
  2. Click My Profile from the dropdown menu.
  3. Click the Single Sign On (SSO) tab.
  4. In the IdP End-User Access Control section at the bottom, enter the attribute name you configured in your IdP (e.g., customgpt_role).
  5. Click Update Controls.
  6. Copy the generated Portal Login URL. This is the URL you'll share with external users.
📘

Note

The portal URL is unique to your organization and looks like: https://app.customgpt.ai/portal/[random-string]

Step 3: Test the configuration

  1. Open an incognito/private browser window.
  2. Go to your portal login URL.
  3. You're taken directly to that agent's chat.
  4. Log in with a test account that has the correct attribute value.
  5. After authentication:
    1. If the role has access to one agent: you're redirected directly to that agent
    2. If the role has access to multiple agents: you see a portal listing all accessible agents

What users experience

  • Session duration: 24 hours from login
  • Access: Chat only with assigned agents
  • No account created: Users don't appear in your team's user list and don't need to know the agent is powered by CustomGPT.ai
  • Conversations: Appear as anonymous in analytics
  • No user limit: There's no limit on how many end-users can access agents this way.

If a user tries to access any other page (dashboard, settings, etc.), they're redirected back to the agent portal.

When to use this

This feature is ideal for:

  • Large organizations with many end-users who need agent access
  • Teams who don't want to manage users: no need to add or remove users in CustomGPT.ai
  • Department-based access: create different agents for different departments and share the same portal link with everyone
  • Educational institutions: professors can build agents for students and control access at the classroom or course level
  • White-label deployments: end-users don't need to know the agent is powered by CustomGPT.ai

Related guides


Updated about 10 hours ago