Identity Provider

WorkOS for B2B LLM Auth

Building AI for enterprise customers? WorkOS handles the SSO complexity. Attach Gateway verifies WorkOS tokens and adds identity to every LLM request.

Get Started View Documentation

Why WorkOS + Attach?

Enterprise customers demand SSO. WorkOS makes it easy to support any IdP:

One integration → support Okta, Azure AD, Google, OneLogin, and more
WorkOS handles SAML/OIDC negotiation
Attach verifies tokens and tracks usage per-organization
Directory sync keeps permissions up-to-date

Key Features

Enterprise SSO

SAML and OIDC support for enterprise customers. Connect to any corporate IdP through WorkOS.

Directory Sync

SCIM provisioning syncs users and groups automatically. Permissions update in real-time.

Quick Integration

WorkOS abstracts enterprise complexity. One integration covers hundreds of IdPs.

Setup Guide

Set up WorkOS

Create a WorkOS account and configure your organization's SSO.

# WorkOS Dashboard > Organizations
# Configure SSO connection (Okta, Azure AD, Google, etc.)
# Note your:
#   - Client ID
#   - Client Secret
#   - API Key

Configure Attach Gateway

export AUTH_BACKEND=workos
export OIDC_ISSUER=https://api.workos.com
export OIDC_AUD=your-workos-client-id

# WorkOS handles SSO, Attach verifies the JWT
attach-gateway --port 8080

Authenticate via WorkOS

// In your app - WorkOS SSO flow
import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS(process.env.WORKOS_API_KEY);

// Get authorization URL
const authUrl = workos.sso.getAuthorizationURL({
  clientID: process.env.WORKOS_CLIENT_ID,
  redirectURI: 'https://your-app.com/callback',
  organization: 'org_123',
});

// After callback, exchange code for profile + token

Use tokens with Attach

# WorkOS issues JWT after SSO
# Attach validates and extracts user identity
curl -H "Authorization: Bearer $WORKOS_JWT" \
  -d '{"model":"llama3","prompt":"hello"}' \
  http://localhost:8080/api/chat

# User org and role available in headers

Supported via WorkOS

Okta

Azure AD

Google Workspace

OneLogin

PingIdentity

JumpCloud

Duo

Any SAML 2.0

WorkOS abstracts IdP complexity. One integration supports all enterprise customers.

Perfect for B2B SaaS

Building AI features for enterprise customers? WorkOS + Attach lets each customer use their own SSO while you track usage and apply quotas per-organization.

Frequently Asked Questions

How does WorkOS handle multiple customer IdPs?

WorkOS abstracts IdP complexity with its SSO Connection model. Each of your enterprise customers configures their own IdP (Okta, Azure AD, Google, etc.) through WorkOS. You write one integration, and WorkOS normalizes tokens from all providers into a consistent format that Attach can verify.

Can I set different quotas per organization?

Yes. WorkOS tokens include organization claims. Attach can extract the org_id and apply organization-specific rate limits and token quotas. Enterprise customers paying more can get higher limits—all configured through environment variables or Attach's policy file.

How fast does Directory Sync update permissions?

SCIM provisioning is near-real-time. When an employee is added or removed from a group in your customer's directory, WorkOS receives the webhook and updates immediately. New tokens reflect the changes, and Attach will enforce the new permissions on the next request.

What happens when a customer hasn't configured SSO yet?

WorkOS provides a fallback flow—you can use email/password or magic links for organizations that haven't set up SSO. Attach treats these tokens the same way. When the customer is ready for SSO, they configure it in WorkOS without any changes to your Attach setup.

Ready for Enterprise-Ready AI?

Support any enterprise IdP with WorkOS + Attach.

Quick Start Guide View on GitHub