SSO is how you stop managing Cyvex passwords separately from the rest of your identity estate. It also lets you enforce MFA, conditional access, and lifecycle offboarding at the identity provider once — instead of per-tool forever.

Pick SAML or OIDC

Either works. OIDC is easier to set up with modern IdPs (Okta, Entra ID, Google). SAML is still the default in many enterprises. Use what your IdP team standardises on.

Group → role mapping

Map IdP groups to Cyvex roles so provisioning is automatic. A typical mapping:

cyvex-owners → Owner
cyvex-admins → Admin
cyvex-analysts → Analyst
cyvex-readers → Read-only

Offboarding

The biggest compliance win from SSO is automatic offboarding: when someone leaves the IdP, they lose Cyvex access instantly, not at the next quarterly access review. Auditors love this. Make sure your IdP lifecycle hooks are genuinely deprovisioning, not just disabling.