CiVQ Knowledge Guide
Modules · Operations tier

Enterprise SSO (SAML & SCIM)

SAML 2.0 single sign-on and SCIM 2.0 user provisioning — staff log in through the entity's identity provider, and users are provisioned and deprovisioned automatically. Ships disabled until configured per tenant.

Staff-onlyShips disabledOperations tierBilingual EN / ES

An IT admin points the tenant at its identity provider with SAML metadata, turns SSO on so staff sign in through the IdP instead of a local password, and enables SCIM so accounts are created, updated, and disabled automatically as people join and leave in the IdP. It ships off by design — nothing changes for a tenant until its admin configures it.

What you can do

SAML

Configure the IdP

Enter the tenant's SAML 2.0 metadata — the identity provider CiVQ trusts to authenticate staff for this entity.

Sign-on

Enable single sign-on

Turn SSO on so staff log in through the IdP — the same credentials they use for everything else, with the IdP's own MFA.

SCIM

Auto-provision users

Enable SCIM 2.0 so users are created and updated in CiVQ automatically from the IdP — no manual account setup per hire.

Deprovision

Auto-disable on offboard

When the IdP disables a user, SCIM deprovisions their CiVQ access too — so a departing employee loses the login the same moment.

Per-tenant

Scoped to one entity

SSO and SCIM are configured per tenant, so each entity wires up its own identity provider independently.

Off by default

Ships disabled

The module ships disabled; tenants without an IdP keep using normal sign-in, and nothing turns on until an admin configures it.

A typical workflow

  1. Add the SAML metadata — the IT admin enters the tenant's identity provider configuration.
  2. Enable SSO — turn single sign-on on so staff authenticate through the IdP.
  3. Test the login — confirm a staff member can sign in through the provider.
  4. Enable SCIM — turn on provisioning so users sync from the IdP.
  5. Offboard cleanly — a user disabled in the IdP is deprovisioned in CiVQ automatically.

A closer look

In practice
A county IT admin pastes the entity's Azure AD SAML metadata, enables SSO, and tests a login — staff now reach the dashboard through the same provider they use for email, with the IdP enforcing MFA. Then they flip on SCIM: new hires appear in CiVQ the moment HR adds them in the IdP, and when someone is offboarded there, their CiVQ login is disabled automatically. No orphaned accounts, no per-hire setup.
Where it lives
Staff: /dashboard/itmanagement identity settings — SAML metadata, the SSO toggle, and SCIM provisioning. Disabled out of the box until a tenant admin configures it.

Works with

IT Management for the duties and access provisioned users land with · Signing in — SSO replaces the local password prompt for staff.

CiVQ
Bilingual civic software for local government — own it or rent it.
Product
Products Pricing Why CiVQ Bilingual
Company
About Contact Platform guide API docs
Legal
Privacy Terms Accessibility
© 2026 CiVQ · Pragmatic Business Solutions, LLC — Rio Grande City, TexasKnowledge Guide
×
↑↓ to navigate↵ to openesc to close