Documentation Index
Fetch the complete documentation index at: https://docs.costory.io/llms.txt
Use this file to discover all available pages before exploring further.
Identity and Access
This page explains how identity and access work in Costory. It is for buyers comparing Copilot and Copilot Pro, IT or security reviewers checking access controls, and workspace admins deciding how users should join. Authentication is handled by Clerk.At-a-glance comparison
| Access area | Copilot, 250 EUR per month | Copilot Pro, 1,000 EUR per month |
|---|---|---|
| Sign-in method | Users sign up with a company email address. This is not single sign-on (SSO). | Users log in through your identity provider (IdP) using Enterprise SSO. Okta Workforce is supported natively through Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). Any SAML or OIDC provider can be connected. |
| Who can join | Anyone with your approved company email domain, for example name@acme.com, is added to the workspace automatically. Public email providers such as Gmail or Outlook.com are not supported. | Users assigned in your IdP can log in through SSO. With directory sync, users can also be created before first sign-in. |
| Provisioning | Auto-join by company domain. Clerk calls this Verified Domains. | Just-in-Time (JIT) provisioning creates the user and assigns a role at first SSO sign-in. System for Cross-domain Identity Management (SCIM) can create users in advance. |
| Deprovisioning and offboarding | No IdP-driven offboarding. Remove users in Costory when access should end. | SCIM removes users automatically when they leave your IdP, with no sign-in required. This is the path for prompt offboarding. |
| Roles | Roles are managed in Costory. No IdP role mapping is included in this tier. | Role-based access control (RBAC), including role assignment through JIT provisioning. |
| Admin seats | Workspace admins are managed in Costory. The unlimited admin account guarantee applies to Copilot Pro. | Unlimited admin accounts at no extra cost. There is no per-admin fee. |
Identity features by tier
Copilot: Auto-join by company domain
Let anyone with your company email domain join your Costory workspace without a manual invite.
Copilot Pro: Login through your identity provider
Add login through an IdP, JIT provisioning, SCIM directory sync, RBAC, and unlimited admin accounts.
Key concepts
Auto-join by company domain
Auto-join by company domain adds users automatically when they sign up with your company email domain. Use it when you want low-friction access for a known company domain and do not need IdP-controlled sign-in. This option is available on Copilot. It is not SSO, SAML, OIDC, or login through your provider.Login through your identity provider
Login through your identity provider lets users authenticate through your own IdP. Use it when your IT team requires centralized access policies, Okta Workforce, SAML, OIDC, role assignment, or automated offboarding. This option is available on Copilot Pro. SAML is the usual Okta setup, but Okta Workforce is supported over both SAML and OIDC. Other SAML or OIDC identity providers can also be connected.JIT provisioning vs SCIM directory sync
JIT and SCIM both create user accounts, but they solve different operational problems. In Clerk, SCIM directory sync is called Directory Sync.| Provisioning option | What happens | Offboarding impact |
|---|---|---|
| JIT provisioning | A user account is created and a role is assigned the first time the user signs in through SSO. | The user must sign in before the account exists. JIT alone is not the prompt offboarding path. |
| SCIM directory sync | Costory stays aligned with your IdP. Users are created in advance and removed when they leave your IdP. | Users are removed automatically with no sign-in required. Use SCIM when prompt offboarding matters. |
Which should you choose?
Choose Copilot if:- You want users with a real company email domain to join automatically.
- You do not need SSO, SAML, OIDC, SCIM, or IdP-managed offboarding.
- You can remove users directly in Costory when access should end.
- You use Okta Workforce, Azure AD / Entra, Google Workspace, OneLogin, or another SAML or OIDC provider for workforce access.
- You need SSO, JIT provisioning, SCIM directory sync, RBAC, or unlimited admin accounts.
- You need automatic removal when users leave your IdP.
Security and data scope
Costory ingests only cloud billing and usage data:- Cost line items per service, team, and resource.
- No end-user personally identifiable information (PII).
- No customer application data.
- No other sensitive business data.
Costory itself is not yet certified for SOC 2 or International Organization for Standardization (ISO) 27001.
Frequently asked questions
Do you support Okta?
Do you support Okta?
Yes. Costory supports Okta Workforce natively on Copilot Pro through SAML and OIDC. SAML is the usual setup. Any SAML or OIDC identity provider can be connected, not only Okta.
Should we use JIT or SCIM?
Should we use JIT or SCIM?
Use JIT when it is acceptable for users to be created at first SSO sign-in. Use SCIM when you need Costory to stay aligned with your IdP, create users in advance, and remove users automatically when they leave.
Are you SOC 2 or ISO 27001 certified?
Are you SOC 2 or ISO 27001 certified?
Costory itself is not yet certified for SOC 2 or ISO 27001. Authentication is handled by Clerk, which is SOC 2 Type II certified and compliant with HIPAA, GDPR, and CCPA.
Do extra admins cost more?
Do extra admins cost more?
No. Copilot Pro includes unlimited admin accounts at no extra cost. There is no per-admin fee.
What is the difference between auto-join and SSO?
What is the difference between auto-join and SSO?
Auto-join by company domain adds users who sign up with your approved company email domain. SSO lets users log in through your identity provider and is available on Copilot Pro.
Can I use both on the same domain?
Can I use both on the same domain?
No. For a given workspace and domain, Auto-join by company domain and Enterprise SSO are mutually exclusive. This is a Clerk limitation.