## Aritma ID

Users and clients authenticate via **Aritma ID** — Aritma's built-in identity system. A user subject is linked to an Aritma ID account by email address. When you invite a user, they create or connect an Aritma ID account as part of accepting the invitation.

Aritma ID is always available as a fallback, even when SSO is configured.

## SSO providers

Organizations that manage their own identity infrastructure can configure an external **identity provider (IdP)** so that users log in with their corporate credentials instead of a separate Aritma ID password.

Aritma IAM supports four SSO provider types:

| Provider | Use case |
|  --- | --- |
| **Azure AD** | Microsoft Entra ID / Azure Active Directory |
| **Google** | Google Workspace accounts |
| **Signicat** | Strong authentication methods (BankID, MitID, Swedish BankID) |
| **Custom OIDC** | Any standards-compliant OpenID Connect provider |


When a user logs in via an SSO provider, Aritma maps the incoming identity to a user subject in your tenant. The subject's permissions are the same regardless of how they authenticated.

## User provisioning

There are three ways a user subject can be created in your tenant, and they are independent of each other:

| Method | When the user is created | Requires |
|  --- | --- | --- |
| **Invitation** | After the user accepts the invite | Nothing |
| **Auto-provisioning** | On the user's first SSO login (Just-in-time) | An SSO provider with auto-provisioning enabled |
| **SCIM** | Before the user ever logs in | A SCIM token and IdP provisioning configuration |


### Auto-provisioning

When **auto-provisioning** is enabled on an SSO provider, Aritma creates a user subject the first time that user logs in through that provider. The subject is created just-in-time during the login flow — no invitation or pre-creation is needed.
It is configured directly on the SSO provider.

### SCIM

**SCIM** (System for Cross-domain Identity Management) lets your IdP manage the full user lifecycle — independently of login events. With SCIM configured, your IdP can:

- Create users when they are assigned to the application in the directory
- Update user attributes when they change
- Deprovision users when they are removed from the application or leave the organization


Because SCIM creates users proactively, they exist in Aritma before their first login.
SCIM is configured by creating a SCIM token in Aritma and providing it to your IdP as the provisioning credential. In our SCIM implementation a token is linked to a specific SSO provider to associate provisioned users with an sso login method. This is to ensure that provisioned users can login directly.

## Domain verification

By default, users must be invited via email before they can be created in your tenant. **Domain verification** lets you prove ownership of an email domain, after which you can create users on that domain directly — without the invitation flow.

Domain verification requires publishing a DNS TXT record. Once the domain status reaches `Confirmed`, direct user creation is enabled for that domain.

## Related

- [SSO Setup](/apis/platform/iam/sso/overview) — configure SSO providers via the API
- [SCIM Provisioning](/apis/platform/iam/scim/overview) — configure SCIM tokens and provisioning
- [Domains](/apis/platform/iam/guides/domains) — verify domain ownership
- [Subjects](/apis/platform/iam/concepts/subjects) — how user subjects relate to identities