> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Workspace security settings

> Security controls that apply to everyone in a workspace.

## Overview

Workspace security settings are managed by owners and admins. They control authentication, provisioning, and access rules for all members.

## Access control

* **Allow Developer Login**: Allow users with only the **Developer** role to sign in. The Developer role is automatically assigned to VCS users.
* **Automatic VCS Provisioning**: Automatically create and suspend tenant accounts when VCS members link supported VCS profiles. Manually created users are not affected.
* **Include Outside Collaborators**: Automatically provision GitHub outside collaborators with the Developer role. These users are suspended if repository access is revoked.

## Authentication

* **Enforce 2FA**: Require two-factor authentication for all users. Users without 2FA get a 7 day grace period before lockout.
* **Custom Login Page**: Enable a custom login page with additional authentication options. This setting is required and locked on when SAML or self-hosted VCS OAuth is configured for the workspace.
* **VCS Login**: Allow users to sign in with supported VCS providers. This option appears when the custom login page is enabled.

### SAML single sign-on

Configure SAML for enterprise authentication.

**Identity provider**

* **IdP Entity ID**
* **Single Sign-On URL**
* **Single Logout URL** (optional)
* **IdP signing certificate** with show or hide controls

**Service provider**

* **SP Entity ID** with a regenerate control
* **Assertion Consumer Service** URL
* **Single Logout Service** URL
* **Download metadata** for IdP setup

**User mapping**

* **Email attribute**
* **Display name attribute**
* **Just in time provisioning** toggle
* **Default role** for newly provisioned users

**Access policies**

* **Enforce SAML only login** for this workspace
* **Allow passkey fallback** when the IdP is unavailable and users have passkeys

When SAML is enabled, Cysmiq also enables the custom login page for the workspace.

## User provisioning

* **SCIM provisioning**: Enable SCIM for automated user provisioning and deprovisioning
* **SCIM endpoint**: Use the provided base URL and append `/Users` in your IdP configuration
* **Authentication token**: Show, copy, or regenerate the token used as a Bearer token in SCIM requests
* **Default role**: Role assigned to newly provisioned users

## API keys

Workspace API keys are tenant scoped and are managed in this page.

See [API keys](/security-access/api-keys) for scopes, expiry options, and lifecycle details.
