Overview
WorkOS provides enterprise-ready authentication features including Single Sign-On (SSO), Directory Sync (SCIM), and Admin Portal capabilities. This integration enables MemberPulse to support enterprise clients with existing identity providers.Single Sign-On
SAML and OIDC SSO with 50+ identity providers
Directory Sync
Automatic user provisioning via SCIM
Audit Logs
Enterprise compliance and activity tracking
Prerequisites
Before configuring WorkOS:- Create a WorkOS account at workos.com
- Obtain your API Key and Client ID from the WorkOS Dashboard
- Configure your redirect URIs in WorkOS
Configuration
Environment Variables
Add these to your environment configuration:Acceptance Criteria
Frontend
- Environment Variables workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Environment Variables as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Platform Settings
Navigate to Admin Portal > Platform Settings > Integrations > WorkOSAcceptance Criteria
Frontend
- Platform Settings workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Platform Settings as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Single Sign-On (SSO)
Supported Identity Providers
WorkOS SSO supports 50+ identity providers including:Okta
Azure AD
Google Workspace
OneLogin
JumpCloud
Ping Identity
Auth0
Custom SAML
Acceptance Criteria
Frontend
- Supported Identity Providers workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Supported Identity Providers as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
SSO Login Flow
Acceptance Criteria
Frontend
- SSO Login Flow workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports SSO Login Flow as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Configuring SSO for an Organization
- Navigate to Client Portal > Settings > Authentication
- Click Configure SSO
- Select identity provider type (SAML 2.0 or OIDC)
- Enter connection details provided by your IdP:
- SAML 2.0
- OIDC
- Test the connection
- Enable SSO for users
Acceptance Criteria
Frontend
- Configuring SSO for an Organization workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Configuring SSO for an Organization as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
SSO User Attributes
Map IdP attributes to MemberPulse user fields:Acceptance Criteria
Frontend
- SSO User Attributes workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports SSO User Attributes as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Directory Sync (SCIM)
Automatically provision and deprovision users based on your identity provider’s directory.Supported Directories
- Okta
- Azure AD (Entra ID)
- Google Workspace
- OneLogin
- JumpCloud
- Generic SCIM 2.0
Acceptance Criteria
Frontend
- Supported Directories workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Supported Directories as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
SCIM Capabilities
Acceptance Criteria
Frontend
- SCIM Capabilities workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports SCIM Capabilities as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Configuring Directory Sync
- Navigate to Admin Portal > Platform Settings > Directory Sync
- Click Add Directory
- Select your directory provider
- Copy the SCIM endpoint URL and bearer token
- Configure SCIM provisioning in your IdP using these credentials
https://api.workos.com/directories/{directory_id}/scim/v2
Acceptance Criteria
Frontend
- Configuring Directory Sync workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Configuring Directory Sync as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Attribute Mapping
Acceptance Criteria
Frontend
- Attribute Mapping workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Attribute Mapping as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Group to Role Mapping
Map directory groups to MemberPulse roles:Acceptance Criteria
Frontend
- Group to Role Mapping workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Group to Role Mapping as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Webhooks
WorkOS sends webhooks for real-time event notifications.Webhook Events
Acceptance Criteria
Frontend
- Webhook Events workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Webhook Events as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Webhook Endpoint
Configure in WorkOS Dashboard:Acceptance Criteria
Frontend
- Webhook Endpoint workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Webhook Endpoint as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Webhook Payload Example
Acceptance Criteria
Frontend
- Webhook Payload Example workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Webhook Payload Example as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Admin Portal
WorkOS Admin Portal allows enterprise clients to self-manage their SSO and Directory Sync configurations.Generating Admin Portal Link
Acceptance Criteria
Frontend
- Generating Admin Portal Link workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Generating Admin Portal Link as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Admin Portal Capabilities
- Configure SSO connections
- Upload IdP metadata/certificates
- Test SSO connections
- Configure directory sync
- View sync logs and errors
Acceptance Criteria
Frontend
- Admin Portal Capabilities workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Admin Portal Capabilities as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
API Reference
Authentication Endpoints
Acceptance Criteria
Frontend
- Authentication Endpoints workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Authentication Endpoints as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Directory Sync Endpoints
Acceptance Criteria
Frontend
- Directory Sync Endpoints workflow is implemented in the UI as described.
Backend / API
- Backend behavior supports Directory Sync Endpoints as documented.
Permissions
- Access is restricted per the Capabilities matrix on this page (or equivalent role rules).
Business Rules
- All business rules for this feature are enforced.
Error Handling
- Error states return clear messages and appropriate HTTP status codes.
Troubleshooting
SSO login fails with 'Invalid connection'
SSO login fails with 'Invalid connection'
- Verify the SSO connection is activated in WorkOS Dashboard
- Check that the organization has the correct connection ID
- Ensure redirect URIs match exactly
Users not syncing from directory
Users not syncing from directory
- Verify SCIM endpoint and bearer token in IdP
- Check WorkOS Dashboard for sync errors
- Ensure users are assigned to the correct groups in IdP
- Check attribute mapping configuration
Webhook events not received
Webhook events not received
- Verify webhook URL is accessible from internet
- Check webhook secret is configured correctly
- Review webhook logs in WorkOS Dashboard
- Ensure firewall allows WorkOS IP addresses
Security Considerations
- Store API keys in secure environment variables
- Validate webhook signatures before processing
- Use HTTPS for all callback URLs
- Regularly rotate API keys
- Monitor audit logs for suspicious activity
Features
WorkOS Integration
Acceptance Criteria
Frontend
- UI provides configuration controls and status/health indicators for this integration.
Backend / API
- Integration can be connected, configured, and exercised end-to-end (auth + sync/webhooks).
Permissions
- Only
ROLE_CLIENT_ADMIN(or equivalent) can configure the integration.
Business Rules
- Data sync respects tenant isolation and mapping rules.
Error Handling
- Auth and sync failures are surfaced with actionable messages and retry behavior.