Settings · Identity (SSO)

SAML single sign-on.

Route your enterprise IdP through Auth0 and let PrimeAssist provision users + assign roles from SAML claims at login.

Connection

Paste the Auth0 SAML connection ID plus the IdP's entity ID and SSO URL. Your platform operator created the connection in Auth0; this form stores the metadata so PrimeAssist can validate the post-login Action callbacks.

Could not load the existing connection: Not Found. You can still save a new one.

Role mappings

Each row maps a SAML attribute value (e.g.groups=okta-admins) to one of the six PrimeAssist roles. Exactly one row must be marked default — users without a matching claim get that role.

The Auth0 post-login Action must be configured for these mappings to take effect. Until it is, SAML JIT provisioning is dormant and existing users keep the role they currently have.

Could not load mappings: Not Found

SAML attribute	Value	PA role	Default	Actions
No role mappings yet. Add the first one below — at least one row must be marked default so users without a matching claim get a fallback role.

Roles

Six built-in roles.

SAML claims map to one of these roles. Roles are enforced per-endpoint by the backend — a SAML attribute that does not match any mapping falls back to the row marked default.

adminAdmin: Full control — billing, members, all agents and tools.
memberMember: Legacy default — edit agents, knowledge, run conversations.
viewerViewer: Read-only — can browse the dashboard but not edit.
agent_builderAgent builder: Edits agents, knowledge, and tools. Cannot manage members or billing.
tenant_operatorTenant operator: Acts on support escalations via the handoff inbox; can resolve plan-upgrade requests.
compliance_reviewerCompliance reviewer: Read-only on audit logs and change-approval flows.

SAML single sign-on.

Connection

Role mappings

Six built-in roles.

Glossary

Settings is where you configure your org, members, identity provider, theme, and billing.

Roles reference

Six built-in roles.