Guides
Start typing to search…

Deploy IdP-access controlled agent to external website

This guide explains how to deploy a private CustomGPT.ai agent to an external website so that only users authenticated through your organization's Identity Provider (IdP) can access it.

Prerequisites

Before following this guide, make sure you have:

  • A CustomGPT Teams (Enterprise) plan with SSO enabled. Contact the sales team if you're not sure whether this is active for your organization.
  • SSO configured in your CustomGPT.ai account. See Control end-user access to agents via IdP if you haven't done this yet.
  • Account Owner or Admin access in CustomGPT.ai.

Step 1: Set Up IdP End-User Access Control

If you haven't already configured end-user access via your IdP, complete the following steps first.

Create a Role in CustomGPT Teams

Before configuring the IdP connection, create the role that will be assigned to guest users.

  1. Click on My Profile.
  1. Click on Teams.
Screenshot: Teams option in My Profile
  1. Click on the Roles tab.
Screenshot: Roles tab inside Teams
  1. Click Create Custom Role.
Screenshot: Create Custom Role button on the Roles tab
  1. Enter a Role Name. This must exactly match the attribute value your IdP will send — it is case-sensitive (for example, if your IdP sends partner-support, the role name must be partner-support).
Screenshot: Role Name field
  1. Enter a Description for the role.
Screenshot: Description field
  1. Deselect Role is Global — strongly recommended. Keeping the role local ensures access is strictly controlled and limited to the intended agents.
Screenshot: Role is Global checkbox deselected
  1. In the Agents section, select which agents this role can access.
Screenshot: Agents section with agent selection
  1. Set Permission to Chat Only — strongly recommended. This prevents end-users from accessing any settings or configuration.
Screenshot: Permission set to Chat Only
  1. Click Submit.
Screenshot: Submit button

Enable IdP End-User Access in CustomGPT.ai

  1. Click My profile icon in the bottom-left corner
  1. Click My Profile from the dropdown
  1. Click the Single Sign On (SSO) tab
  1. Scroll to the IdP End-User Access Control section, and toggle On Enable End-User IdP Access
  1. Enter the attribute name you configured in your IdP (e.g., customgpt_role)
  1. Click Update Controls

Step 2: Enable the IdP Option on Your Agent

  1. Go to your agent's Personalize setting
  1. On the Personalize page, click on the Security tab
  1. Scroll to Agent Visibility, select Private
  1. In the Private Agent Deployment options, select Enabled (IdP).
  1. Click Save Settings

Once this is enabled, you'll see the following notice on your Deploy page:

"Private Agent Deployment is enabled. You can add the agent's code snippet to any website, but users will only be able to access it after signing in with your organization's account."

Step 3: Embed the Agent on Your Website

  1. Go to the Deploy page for your agent.
  2. Copy the embed code snippet.
  3. Paste it into the HTML of the page where you want the agent to appear.

No developer is required — this is a no-code process.

What Your Users Will Experience

When a user visits a page with the embedded agent, they will see a login prompt. Clicking it automatically redirects them to your organization's IdP login page. After successful authentication, they are returned directly to the chat.

Users do not need a CustomGPT.ai account. Sessions last 24 hours, after which they will be prompted to log in again.

Related Articles

Updated about 3 hours ago