FEATURES / ENTERPRISE SSO

SAML 2.0 + SCIM 2.0, verified against the IdPs you actually run

Enterprise SSO that's actually tested. Gitrevio's SAML SP and SCIM provider are verified end-to-end against Okta, Azure AD, Ping, and OneLogin. JIT provisioning, IdP-group → role mapping, org_unit closure tables, and a separation-of-duties workflow ship in the box.

Verified IdPs

Each IdP carries a documented setup guide, a metadata round-trip test, and a SCIM compatibility report — no "it should work with any SAML-compliant IdP" hand-waving.

Okta
SAML 2.0 + SCIM 2.0, JIT, group mapping. Verified.
Azure AD
SAML 2.0 + SCIM 2.0, JIT, group mapping. Verified.
Ping Identity
SAML 2.0 + SCIM 2.0, JIT, group mapping. Verified.
OneLogin
SAML 2.0 + SCIM 2.0, JIT, group mapping. Verified.

SCIM 2.0 — Users + Groups

RFC 7644-compliant Users and Groups endpoints. JIT provisioning on first login; reconciliation via scheduled SCIM sync; IdP-group → Gitrevio-role mapping configurable per customer.

JIT provisioning creates the user record on first successful SAML assertion. Default role from the IdP-group mapping; no out-of-band invitation flow.

Deprovisioning is a SCIM DELETE — and it cascades through the audit log, the session store, and any active alert subscriptions.

Group → role mapping supports many-to-one and one-to-many. Conflicts are logged and resolved by an explicit precedence table.

# SCIM Users POST
POST /scim/v2/Users
{
"userName": "alice@acme.io",
"name": {"givenName": "Alice"},
"emails": [{"value": "..."}],
"groups": [{"value": "eng-leads"}],
"active": true
}
→ 201 Created
→ role: engineering_manager
→ org_unit: engineering / platform

Org graph: closure-table + SCD-2

org_unit lives in a closure-table schema — every ancestor/descendant pair materialised so the rollup queries are O(rows) instead of recursive CTEs. team_membership is SCD-2 so historical reports are reproducible.

org_unit + closure-table
Hierarchical org schema with materialised ancestor/descendant pairs. Rollups in a single join.
team_membership_history (SCD-2)
Effective_from / effective_to per membership row. Historical reports reproduce exactly even after re-orgs.
org_drift_detector
Flags discrepancies between the IdP-provided org graph and the activity-inferred graph.
org_rollup_scorecard
Aggregated metric scorecard per org_unit at any depth.
Quarterly access review export
CSV export of all role + group memberships, suitable for SOC 2 / ISO 27001 evidence.
Separation-of-duties workflow
Sensitive operations (skill install, role grant, key rotation) require a second approver. Enforced server-side.

Ready to See Your Engineering work clearly?

Get Onboarded