End-User IdP Access Overview
External users- partners, vendors, students, contractors- can access your AI agents by authenticating through their corporate Identity Provider (IdP), without needing a CustomGPT.ai account.
This page explains what the feature does, how it works, and when to use it. For step-by-step setup instructions, see Deploy AI agents to your entire organization via IdP
What is end-user IdP access?
End-user IdP access lets you share specific agents with people outside your CustomGPT.ai team by leveraging your existing Identity Provider (like Microsoft Entra ID, Okta, Google Workspace, or PingOne) to control who gets access to what.
External users authenticate with their own corporate credentials. They never create a CustomGPT.ai account, never see your dashboard, and can only chat with the agents you assign to them. Their sessions last 24 hours and are completely anonymous. No user data is stored, and no conversation history carries over between sessions.
Key distinction: This is not the same as regular SSO. Regular SSO lets your internal team members log into CustomGPT.ai with corporate credentials. End-user IdP access lets people outside your team access specific agents without becoming CustomGPT.ai users at all.
How it works
The feature connects three things: your Identity Provider, a role in CustomGPT, and one or more agents.
- You configure a custom attribute in your IdP (for example,
customgpt_role) and assign it to the users or groups who need agent access. - You create a matching role in CustomGPT with chat-only permissions and assign specific agents to it.
- You enable end-user IdP access in your SSO settings, which generates a portal login URL.
- External users visit the portal URL (or an embedded agent on your website), authenticate through your IdP, and are routed to the agents their role permits.
The role name in CustomGPT must exactly match the attribute value from your IdP. This match is case-sensitive- Sales-Team and sales-team are treated as different roles.
Important: External users are not created as accounts in CustomGPT.ai. They remain anonymous and can only chat. There is no limit on how many external users can access agents this way.
Two deployment methods
You can give external users access through a portal URL, an embedded agent, or both.
| Method | How it works | Best for |
|---|---|---|
| Portal URL | You share a unique URL. Users click it, authenticate via your IdP, and land on their assigned agent(s). | Broad rollouts via email, intranet, or LMS. Simple to share- no code involved. |
| Embedded agent | You embed the agent on a web page. Users see a "Sign in to chat" button, authenticate in a popup, and start chatting without leaving the page. | Partner portals, course platforms, intranets- anywhere you want the agent in context. |
Both methods use the same role-based access control. Sessions last 24 hours regardless of the deployment method.
For details on what external users see during each flow, see How external users sign in to your agents.
When to use this feature
End-user IdP access is designed for scenarios where you need to give agent access to many people without managing individual accounts.
Large organizations with many external users. You control access entirely through your IdP. No invitations, no user management, no account limits.
Department-based access. HR gets the HR agent, IT gets the IT agent, Sales gets the Sales agent- all from the same portal URL. Each department's IdP attribute routes them to the right agent automatically.
Universities and schools. Professors can build course-specific agents and restrict access by enrollment. Students authenticate via campus SSO, and their class attribute determines which agents they see.
Partner and vendor access. Give implementation partners, suppliers, or consulting clients access to documentation agents, support tools, or project-specific assistants- all through their existing corporate login.
Contractor onboarding. Temporary contractors authenticate through their staffing agency's IdP to access onboarding and training agents. When their IdP credentials are revoked, agent access stops automatically.
White-label deployments. External users never see a CustomGPT.ai dashboard or account UI.
Prerequisites
Before setting up end-user IdP access, confirm you have the following:
- A CustomGPT.ai Teams plan with the IdP end-user access feature enabled. Contact sales if you are not sure whether this is active on your account.
- SSO already configured for your organization. See SSO setup if you have not done this yet.
- A custom attribute configured in your IdP that will be used to map users to roles in CustomGPT. Your IT team will need to set this up. See the setup guide for details on what to configure.
- Account Owner or Admin access in CustomGPT.ai. The SSO tab is only visible to the account owner or users with non-organization accounts.
Supported Identity Providers
Any SAML 2.0 compliant IdP works, including Microsoft Entra ID, Okta, Google Workspace, and PingOne. CustomGPT provides IdP-specific SSO setup guides for each of these.
What to do next
Choose the guide that matches your deployment scenario:
| I want to... | Go to |
|---|---|
| Set up end-user IdP access end-to-end (portal URL or embedded) | Deploy AI agents to your entire organization via IdP |
| Embed an IdP-protected agent on an external website | Deploy IdP-access controlled agent to external website |
| Understand what external users see when they sign in | How external users sign in to your agents |
| Add or remove agents, manage user groups, or revoke access | Update and revoke external agent access |
Related guides
- SSO setup
- SSO setup with Microsoft Azure
- SSO setup with Okta
- SSO setup with Google Workspace
- SSO setup with PingOne
- Create custom roles
- Create agent-specific custom roles
Updated about 2 hours ago