# SSO & authentication GLBNXT Workspace supports enterprise-grade authentication, allowing your organisation to manage how users log in to the platform in a way that is secure, consistent, and aligned with your existing identity infrastructure. Rather than requiring users to maintain a separate set of credentials for Workspace, you can connect the platform to your organisation's identity provider and let your existing authentication processes handle access. *** ### Why Authentication Matters at the Enterprise Level Authentication is the first line of defence in any secure platform. For an AI environment that may be handling sensitive documents, confidential business data, and proprietary knowledge, ensuring that only authorised users can access the platform, and that access is managed centrally, is a fundamental requirement. For most enterprise organisations, this means integrating Workspace with the identity management systems already in place, rather than introducing a new silo of credentials to manage. Single sign-on makes this possible, and it brings meaningful benefits for both users and administrators. *** ### Single Sign-On Single sign-on, commonly referred to as SSO, allows users to access GLBNXT Workspace using the same credentials they use for the rest of their organisation's applications. Rather than logging in with a separate username and password, users authenticate through your organisation's identity provider and are granted access to Workspace automatically as part of that process. From the user's perspective, SSO simplifies access considerably. There are no additional credentials to remember, no separate login page to navigate, and no risk of being locked out of Workspace independently of the rest of your organisation's systems. From an administrator's perspective, SSO centralises access management. When a user joins the organisation, they gain access to Workspace as part of the standard onboarding process. When a user leaves, revoking their access to your identity provider immediately removes their access to Workspace as well, without requiring a separate deprovisioning step. *** ### Supported Identity Providers and Protocols Workspace supports authentication via industry-standard protocols, allowing it to integrate with the identity providers most commonly used in enterprise environments. **OpenID Connect (OIDC)** is the primary protocol supported for SSO integration. OIDC is widely adopted and is the authentication layer used by most modern identity providers. **SAML 2.0** is supported for organisations using identity providers that rely on this standard, which remains common in larger enterprise environments and public sector organisations. Workspace is compatible with leading enterprise identity providers including but not limited to Microsoft Entra ID (formerly Azure Active Directory), Okta, Google Workspace, and other OIDC and SAML-compliant identity providers. If your organisation uses a different provider, contact your GLBNXT representative to confirm compatibility before configuration. *** ### Group and Role Synchronisation When SSO is configured, Workspace can synchronise group membership and role information from your identity provider. This means that the teams, departments, and roles you have already defined in your identity management system can be mapped directly to access levels and permissions within Workspace, without requiring administrators to manage group membership in two places separately. When a user's group membership changes in your identity provider, for example when they move to a different team or take on a new role, those changes can be reflected automatically in their Workspace access. This keeps access aligned with organisational reality without creating ongoing manual synchronisation work. *** ### Multi-Factor Authentication Workspace supports multi-factor authentication as an additional layer of security for user logins. When MFA is enabled, users are required to verify their identity through a second factor, such as an authenticator application or a one-time code, in addition to their primary credentials. For organisations using SSO, MFA is typically enforced at the identity provider level, meaning users are subject to the same MFA requirements in Workspace as they are across the rest of your organisation's applications. This is the recommended approach, as it allows MFA policy to be managed centrally rather than configured separately per application. For organisations not using SSO, MFA can be enabled directly within the Workspace authentication settings. *** ### Session Management Workspace supports configurable session management, allowing administrators to define how long an authenticated session remains active before a user is required to re-authenticate. This includes: **Session timeout.** The period of inactivity after which a session expires and the user must log in again. Setting an appropriate timeout reduces the risk of an unattended session being accessed by an unauthorised party. **Session duration limits.** The maximum length of an active session regardless of activity, after which re-authentication is required. This ensures that credentials are periodically revalidated even for users who remain actively engaged with the platform. These settings can be configured to match your organisation's broader session management policies and any applicable compliance requirements. *** ### Configuring Authentication Authentication configuration is handled through the administrative settings of the Workspace environment and is typically completed during the initial onboarding and setup process. The configuration requires input from both your GLBNXT administrator and your organisation's identity management team. For a step-by-step guide to configuring SSO for your specific identity provider, refer to the dedicated authentication configuration documentation or contact the GLBNXT support team for assistance. *** ### A Note on Sovereign Access Management All authentication flows within GLBNXT Workspace are processed on GLBNXT-owned EU infrastructure. Credentials and session data are never routed through or stored on third-party infrastructure outside the GLBNXT environment. This ensures that your organisation's access management remains within the same sovereign boundary as the rest of the platform, maintaining the integrity of your data governance posture end to end. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.glbnxt.com/workspace/enterprise-controls/sso-and-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.