Skip to main content

SSO and Authentication

Willow supports three layers of authentication and access control that work together:

LayerWhat it does
SSOControls how users sign in to Willow using your identity provider
SCIM provisioningKeeps users and groups in sync between your IdP and Willow automatically
User MCP PolicyControls whether users can connect their own personal MCP servers

SSO

SSO connects Willow to your organization's identity provider so users sign in with their existing corporate credentials instead of Willow's default Google or GitHub social login. Eight providers are supported: Google, GitHub, Auth0, Okta, Azure AD, Keycloak, JumpCloud, and ADFS. All use the OAuth 2.0 authorization code flow; most are full OIDC providers. GitHub is the exception — its OAuth Apps are OAuth 2.0 only (no ID token or OIDC discovery), so OIDC-dependent features such as JWT passthrough do not apply to a GitHub login.

Configure SSO in Admin → Settings → Authentication Settings. The Provider dropdown defaults to Default (Willow's built-in auth); selecting a provider reveals the credential fields for that provider. Willow shows you the callback URL for each provider in the configuration screen; copy it into your IdP before entering credentials.

SSO also unlocks JWT passthrough for internal MCP servers. When configured, Willow captures the user's JWT at login and forwards it automatically to internal MCP servers that need identity context. Users authenticate once and Willow handles token refresh transparently.

SCIM provisioning

SCIM automates user and group lifecycle management between your IdP and Willow. When configured, your IdP creates, updates, and deprovisions users and groups in Willow automatically, with no manual admin work required. Willow's SCIM endpoint is at /scim/v2 and supports both Users and Groups.

SCIM uses its own authentication, separate from your SSO credentials. Generate an API token in Admin → API Tokens with the admin:scim permission scope and provide it to your IdP when configuring the SCIM connector.

User MCP Policy

The User MCP Policy controls whether end users can connect their own personal MCP servers, separate from the servers your organization manages centrally. The setting is in Admin → Settings → End-User Settings.

Three options are available: None means users cannot add personal servers; Needs Approval means user requests go to an admin for review before the server activates; Allow means users can connect servers immediately without approval.

SSO and your security posture

The Security Center tracks whether SSO is configured as part of the organization's security checklist. Until SSO is enabled, the Security Center shows SSO Authentication: Inactive and flags it as a medium-risk item with the recommendation to "Centralize user access and reduce credential sprawl." Enabling SSO resolves this checklist item.

Next steps