Guides
Start typing to search…

What your external users experience

When you share agents with external users through IdP access, the experience depends on which deployment method you chose- a portal URL or an embedded agent. This article explains what each flow looks like from the user's side, so you know what to expect and what to tell your users before they access an agent for the first time.

For setup instructions, see Deploy AI agents to your entire organization via IdP. For embed-specific deployment, see Deploy IdP-access controlled agent to external website.

Signing in via a portal URL

This is what happens when an external user clicks the portal login URL you shared with them.

1. The user visits the URL. They are immediately redirected to your organization's IdP login page. There is no CustomGPT branding at this step. They see their familiar corporate login screen.

2. They sign in with their normal work credentials.

3. After authentication, CustomGPT reads their IdP attribute value and maps it to the matching role.

4. From there, two things can happen depending on how many agents their role can access:

  • One agent - they are taken directly into the chat. No extra steps.
  • Multiple agents - they land on a selection portal showing the agents available to them. They click the one they want and are taken into chat.

The user never sees a CustomGPT dashboard, settings, or any account UI.

Signing in via an embedded agent

This flow applies when a user visits a page where you have embedded the agent, your intranet, a partner portal, a course platform, or any other web page.

1. The user arrives at the page. Instead of the chat interface, they see a "Sign in to chat" button.

2. They click the button. An IdP authentication popup opens their familiar corporate login page, not a CustomGPT screen.

3. They sign in with their work credentials.

4. The popup closes automatically. The chat interface appears in its place.

The key difference from the portal flow is that the user never leaves the page. Authentication happens in the popup; the page stays put.

📘

Popup blockers

If the authentication popup does not open, the user's browser may be blocking it. They should look for a "popup blocked" notification in the browser's address bar and allow popups for the site. If you are deploying to managed devices, consider adding the embed page's domain to the popup allow list in your browser management policy.

How sessions work

Both flows work the same way once a user is in chat:

  • Sessions last 24 hours from the moment the user first authenticates. This duration is fixed and cannot be configured.
  • After 24 hours, the user needs to sign in again to continue.
  • Conversations do not carry over between sessions. Each session starts fresh.
  • Users do not have a CustomGPT account. There is no profile, no saved history, no password to manage.

The 24-hour boundary keeps access tied to a current, valid IdP session rather than a persistent credential.

Switching between agents

If an external user's role gives them access to multiple agents:

  • Via portal URL: They see a selection portal after signing in and choose an agent. To switch to a different agent, they must navigate back to the portal URL. There is no "back to portal" button inside the chat interface.
  • Via embedded agent: Each embedded widget corresponds to one agent. If you have embedded multiple agents on different pages, the user can navigate between those pages within the same 24-hour session without re-authenticating.

What external users cannot access

External user sessions are strictly limited. They can only chat with agents assigned to their role. They cannot:

  • Access the CustomGPT.ai dashboard or settings
  • View or manage data sources, team members, or billing
  • See other users' conversations
  • Access agents not assigned to their role

If an external user tries to navigate to any other part of the platform, they are redirected back to the agent portal.

When something goes wrong

These are the most common issues your external users may encounter:

403 error or "access denied" after signing in. This means the user's IdP attribute value does not match any role in CustomGPT. The user cannot fix this themselves- it requires an admin to check the role name and IdP attribute configuration. Direct them to your IT contact or admin.

The sign-in popup does not open (embedded agent). The user's browser is likely blocking popups. They should look for a "popup blocked" notification in their address bar and allow popups for the site.

The sign-in popup does not close after authenticating. This can happen in rare cases. The user should click away from the popup once and try refreshing the page. The session should still be active.

Previous conversations are gone. This is expected behavior. Conversation history is not preserved between sessions. Each time a user authenticates, they start with a fresh conversation. If your users are accustomed to tools with persistent chat history, set this expectation before rollout.

Related guides

Updated about 2 hours ago