Skip to main content

SSO & Enterprise Security

SandboxMesh ships with enterprise-grade Single Sign-On (SSO) and security controls powered by WorkOS.

We handle the heavy lifting of authentication and identity management so you can easily deploy SandboxMesh across your organization while meeting strict procurement and compliance requirements.

Seamless Single Sign-On

Connect your existing Identity Provider (IdP)—whether that's Okta, Azure AD, Google Workspace, or any other SAML/OIDC-compliant provider—in minutes.

  • Zero Friction: Users sign in with their existing credentials. No new passwords to manage.
  • Flexible Flows: We support both IdP-initiated and SP-initiated login flows.
  • Deep Linking: Users land exactly on the preview environment they requested after authenticating, not a generic dashboard.

Automated Onboarding

Stop manually provisioning accounts. With our Just-in-Time (JIT) Provisioning, new users are granted access the moment they first log in via your IdP.

For larger teams, we fully support SCIM Directory Sync. As you add, update, or remove users and groups in your central directory, SandboxMesh automatically mirrors those changes, keeping your roster perfectly in sync.

Secure by Default

SandboxMesh is built to seamlessly inherit and enforce your organization's security posture:

  • Multi-Factor Authentication (MFA): SandboxMesh honors any MFA policies enforced by your IdP on every login.
  • Domain Verification: We verify your email domain to guarantee only authorized users can authenticate, enabling automatic routing to your IdP.
  • Strict Token Security: We adhere to OAuth 2.0 and OIDC best practices. Browser flows use PKCE, JWTs are rigorously validated and signed, tokens are short-lived, and credentials are never stored in persistent browser storage.

Role-Based Access Control (RBAC)

Every action in the SandboxMesh Portal and API is gated by a strict three-tier role model:

  • Owner: Full control over billing, org settings, members, and sandboxes.
  • Admin: Can register clusters and manage sandboxes, plus read-only access to org settings.
  • Member: Read-only access to sandboxes and organization resources.

Audit Ready

To support your compliance efforts (like SOC 2 or HIPAA), SandboxMesh logs all authentication and authorization events. Denied access attempts log the user, role, and reason, while webhook processing captures all organization lifecycle events. All communication is, of course, encrypted with TLS in transit.