Single Sign-On (SSO)

Single sign-on is available on AthenaHQ Enterprise plans. AthenaHQ supports SAML 2.0 and OIDC and works with any standards-compliant identity provider.

​

User provisioning (SCIM 2.0)

AthenaHQ exposes a SCIM 2.0 endpoint for automated user provisioning and deprovisioning from your identity provider:

• Base URL: https://app.athenahq.ai/api/scim/v2
• Authentication: OAuth bearer token. Generate the token from Settings → General in the AthenaHQ dashboard.
• Supported operations: user create, read, update (PUT and PATCH), and deprovision. Filter is supported (max 100 results per page).
• Out of scope today: group provisioning, bulk operations, and sort are not implemented. AthenaHQ does not use passwords, so SCIM password change is not applicable. If you need any of the unsupported operations, mention it when you contact support.

Configure the SCIM endpoint and bearer token in your IdP’s provisioning settings to keep AthenaHQ membership in sync with your directory.

​

Request setup

To enable SSO for your organization, email support@athenahq.ai with:

• Your AthenaHQ organization name
• The identity provider you want to connect and the protocol you plan to use (SAML or OIDC)
• The email domain(s) your users sign in with
• A primary technical contact for the rollout

Our team will reply with the AthenaHQ-side configuration for your chosen protocol:

• SAML connections: ACS URL, entity ID, and signing certificate so you can register AthenaHQ as a service provider in your IdP. You then send back your IdP’s SAML metadata (or sign-in URL + signing certificate).
• OIDC connections: the redirect URI and required scopes so you can create an OIDC client in your IdP. You then send back the client_id and client_secret issued by your IdP.

Any client secret or signing certificate must be shared through a secure channel (e.g. 1Password share, encrypted file, or another agreed secret-handling tool); do not paste secrets into plain email or chat.