Enterprise SSO and directory sync

Enterprise SSO lets your team sign in to Heroic Cloud using your corporate identity provider instead of managing separate credentials. Directory sync (SCIM) takes it further by automatically keeping your Heroic Cloud teams in sync with your identity provider’s groups.

Overview #

SSO and directory sync solve the access management problem for studios with existing identity infrastructure. Instead of manually inviting users and assigning permissions one by one, you connect your identity provider and let it drive who has access and what they can do.

This is a paid add-on. It’s powered by WorkOS, a SOC 2 compliant, enterprise-grade identity and management system.

How SSO works #

Once SAML is configured, users sign in through your identity provider (for example, Okta, Azure AD, OneLogin) instead of using a Heroic Cloud password. Heroic Cloud trusts your identity provider to authenticate them.

SSO is domain-based. You register the email domains your organization uses, and any user signing in with a matching domain is routed through your identity provider. An organization can have multiple domains, which is useful for studios operating under more than one email domain or with subsidiary brands.

Organization-level MFA enforcement doesn’t apply to SSO users, since your identity provider handles authentication (including any MFA requirements you have configured there).

How directory sync works #

With SCIM directory sync, Heroic Cloud reads your identity provider’s groups and mirrors them as teams. This creates an automatic link between your directory and Heroic Cloud permissions.

What happens when someone is in my directory but not in Heroic Cloud? #

When a user who exists in your directory (and belongs to a synced group) signs up to Heroic Cloud for the first time, they’re automatically placed into the correct team based on their directory membership. They land with whatever permissions that team has been assigned. No manual invitation or permission setup is needed.

Can I manually invite people to my organization? #

Invite users manually via the + Invite User button even with SSO and directory sync enabled. Manually invited users authenticate through SSO like everyone else. If they also belong to a synced directory group, they automatically inherit that team’s permissions on top of any direct permissions you assign. Additionally, people who aren’t part of your organization can sign up or log in via email and password (or OAuth).

What happens when someone leaves my organization? #

When you remove a user from your identity provider (or from a synced directory group), they lose the ability to authenticate via SSO. They won’t be able to sign in to Heroic Cloud on their next attempt. If they’re removed from SSO/directory entirely, they’re automatically removed from Heroic Cloud.

Can I set permissions automatically via my directory? #

Yes. Import your directory groups into Heroic Cloud as teams, then assign permissions to those teams. Any user who belongs to that group in your identity provider inherits those permissions when they sign in. If you move a user between groups in your directory, their team membership in Heroic Cloud updates accordingly, and their permissions change to match.

Manage all Heroic Cloud access from your identity provider. For example, adding a new developer to your “Game Team” group in Active Directory automatically gives them the permissions you have assigned to that team in Heroic Cloud.

See also #