Guides
Start typing to search…

Update and revoke external agent access

Once IdP access is set up, day-to-day management happens in two places: Teams → Roles (for controlling who can access what) and Analytics (for monitoring usage). This guide covers the most common tasks.

For initial setup, see Deploy AI agents to your entire organization via IdP.

Before you start

To follow this guide, you need:

  • A CustomGPT.ai Enterprise plan with SSO and IdP end-user access enabled.
  • IdP end-user access fully configured- at least one role created, mapped to an IdP attribute, and the feature toggled on in your SSO settings.
  • Account Owner or Admin access in CustomGPT.ai.

If you have not completed the initial setup, see Deploy AI agents to your entire organization via IdP first.

Add an agent to an existing role

Use this when a user group should have access to an additional agent.

  1. Go to Teams in the left navigation, then click the Roles tab.
  2. Find the role you want to update and click to edit it.
  3. In the Agents section, check the box next to the agent you want to add.
  4. Click Submit.

External users in that role will see the new agent on their next authentication after their current 24-hour session expires.

Remove an agent from a role

Use this when a user group should no longer have access to a specific agent.

  1. Go to Teams → Roles.
  2. Find the role and click to edit it.
  3. In the Agents section, uncheck the agent you want to remove.
  4. Click Submit.

External users in an active session keep access until their session expires (up to 24 hours). To remove access for all external users immediately, see Immediate revocation below.

Add a new user group

Use this when a new set of external users needs their own access- a new department, a new cohort, a new partner organization.

❗️

Critical: Role name must exactly match the IdP attribute value

The role name you create in CustomGPT must be an exact, case-sensitive match to the attribute value your IdP sends. Partners-EMEA is not the same as partners-emea. A mismatch means external users in that group will see a 403 error.

Step 1: Coordinate with your IdP team

Decide on the attribute value that will identify this group in your IdP. For example, contractors-2026 or partners-emea. Your IdP team needs to assign this attribute value to the right users before anyone can access the agent.

Step 2: Create the matching role in CustomGPT

  1. Go to Teams → Roles.
  2. Click Create Custom Role.
  3. Enter a Role Name that exactly matches the IdP attribute value — spelling, capitalization, and hyphens included.
  4. Set Permissions to Chat Only.
  5. Set Scope to Local.
  6. In the Agents section, select the agents this group can access.
  7. Click Submit.

Once the role exists and your IdP team has assigned the attribute, external users in that group will authenticate and land in the right agents automatically.

📘

Adding more groups later

If your IdP already sends a consistent attribute (like department or class), repeat these two steps for each new group. The portal URL and embed code do not change. No SSO reconfiguration, no new URLs, no re-embedding.

Monitor usage in Analytics

End-user sessions appear in your Analytics dashboard as anonymous conversations. You cannot see individual user identities as sessions are anonymous by design, but you can see engagement patterns.

To view external usage:

  • Go to Analytics in the left navigation.

What you can see:

  • Number of conversations and queries from external users
  • Which agents were accessed and how often
  • User behavior patterns- topics, intent, language, location
  • Whether conversations found answers in the knowledge base or not

What you cannot see:

  • Individual user identities (all external sessions are anonymous)
  • Which specific role a conversation came from

Use conversation and query counts as a proxy for session volume. A spike in access errors or a drop in conversation completions may indicate a role configuration issue.

Revoke access

Remove a single user's access

Revoke the IdP attribute from that user in your IdP. Either remove them from the relevant group or change their attribute value so it no longer maps to a CustomGPT role.

Their current 24-hour session will continue until it expires. At their next login attempt, their attribute will return no matching role and access will be denied.

Remove access for an entire group

Delete or disable the role in CustomGPT and remove the attribute from that group in your IdP.

Removing the role alone is enough to deny access at next login. Removing the attribute in your IdP as well ensures users are not redirected to an authentication flow that fails.

Immediate revocation

There is no way to terminate an active session mid-session. If you need to cut off access before the 24-hour session expires, the only option is to disable the agent itself, which also removes it for all other users, including other roles.

🚧

Plan for the 24-hour window

Access changes (attribute updates, role deletions) take effect on the user's next authentication, not during an active session. For highly sensitive agents, consider whether the 24-hour exposure window is acceptable for your security requirements before granting external access. If immediate revocation is a hard requirement, this feature may not be the right fit — consider using traditional CustomGPT accounts with direct user management instead.

Related guides

Updated about 2 hours ago