SSO and Authentication
Willow supports three layers of authentication and access control that work together:
| Layer | What it does |
|---|---|
| SSO | Controls how users sign in to Willow using your identity provider |
| SCIM provisioning | Keeps users and groups in sync between your IdP and Willow automatically |
| User MCP Policy | Controls whether users can connect their own personal MCP servers |
SSO
SSO connects Willow to your organization's identity provider so users sign in with their existing corporate credentials instead of Willow's default Google or GitHub social login. Eight providers are supported: Google, GitHub, Auth0, Okta, Azure AD, Keycloak, JumpCloud, and ADFS. All use the OAuth 2.0 authorization code flow; most are full OIDC providers. GitHub is the exception — its OAuth Apps are OAuth 2.0 only (no ID token or OIDC discovery), so OIDC-dependent features such as JWT passthrough do not apply to a GitHub login.
Configure SSO in Admin → Settings → Authentication Settings. The Provider dropdown defaults to Default (Willow's built-in auth); selecting a provider reveals the credential fields for that provider. Willow shows you the callback URL for each provider in the configuration screen; copy it into your IdP before entering credentials.
SSO also unlocks JWT passthrough for internal MCP servers. When configured, Willow captures the user's JWT at login and forwards it automatically to internal MCP servers that need identity context. Users authenticate once and Willow handles token refresh transparently.
SCIM provisioning
SCIM automates user and group lifecycle management between your IdP and Willow. When configured, your IdP creates, updates, and deprovisions users and groups in Willow automatically, with no manual admin work required. Willow's SCIM endpoint is at /scim/v2 and supports both Users and Groups.
SCIM uses its own authentication, separate from your SSO credentials. Generate an API token in Admin → API Tokens with the admin:scim permission scope and provide it to your IdP when configuring the SCIM connector.
User MCP Policy
The User MCP Policy controls whether end users can connect their own personal MCP servers, separate from the servers your organization manages centrally. The setting is in Admin → Settings → End-User Settings.
Three options are available: None means users cannot add personal servers; Needs Approval means user requests go to an admin for review before the server activates; Allow means users can connect servers immediately without approval.
SSO and your security posture
The Security Center tracks whether SSO is configured as part of the organization's security checklist. Until SSO is enabled, the Security Center shows SSO Authentication: Inactive and flags it as a medium-risk item with the recommendation to "Centralize user access and reduce credential sprawl." Enabling SSO resolves this checklist item.
Next steps
- Configure SSO: connect your identity provider
- SCIM Provisioning: automate user and group sync
- User MCP Policy: control user-added MCP servers