Mnemos AI
Administration

Single sign-on

Standards-based SSO via OIDC or SAML 2.0, with step-by-step setup for the major identity providers.

Plan availability

SSO is included on every plan, including the free Starter tier. SCIM provisioning requires Business or Enterprise.

What you'll need from Mnemos

These values are visible at Settings → Authentication. They're unique per organization.

Mnemos SAML metadata
Entity ID:      https://app.mnemos.ai/saml/<org_id>
ACS URL:        https://app.mnemos.ai/api/auth/callback/saml/<org_id>
NameID format:  urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Bindings:       HTTP-POST
Mnemos OIDC redirect
Redirect URI:   https://app.mnemos.ai/api/auth/callback/oidc/<org_id>
Scopes:         openid email profile
Token endpoint: standard authorization_code with PKCE

Okta (SAML)

  1. In the Okta admin console, create a new SAML 2.0 application.
  2. Set the ACS URL and Entity ID from the values above.
  3. Map attributes: email, firstName, lastName, and optionally groups (filter: mnemos-.*).
  4. Download the Okta-provided IdP metadata XML.
  5. Upload it to Settings → Authentication → SAML, then run the verification handshake.

Microsoft Entra ID (OIDC)

  1. Register a new app in Entra ID under App registrations.
  2. Add the Mnemos redirect URI as a Web platform redirect.
  3. Generate a client secret; record the client ID, tenant ID, and secret.
  4. Grant the openid email profile Microsoft Graph permissions.
  5. In Mnemos, paste the discovery URL https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration plus the client ID and secret.

Google Workspace (OIDC)

  1. From the Google Cloud console, create OAuth credentials for a Web application.
  2. Add Mnemos as an authorized redirect URI.
  3. On the Google Admin SAML/OIDC apps page, scope access by org unit or group so only the intended employees can sign in.
  4. Paste the client ID and secret into Mnemos.

Generic OIDC

Any provider that publishes a discovery document at /.well-known/openid-configuration can be connected. Provide the discovery URL, client ID, and client secret. Mnemos will fetch the JWKS at runtime and refresh on rotation.

Enforcement

Once SSO is verified, Owners can flip the workspace into SSO-only mode. All password and OAuth flows are disabled and every member must authenticate through the IdP. Existing sessions are unaffected; new sign-ins use SSO immediately.

Don't lock yourself out

Keep at least one Owner account with a recovery method outside your IdP, in case the IdP is unreachable. Mnemos enforces this by warning you before enabling SSO-only mode.