Skip to main content
This guide walks administrators through the full enterprise onboarding process — from acquiring a license to verifying that your first users can sign in via SSO.

Prerequisites

  • An active Cline Enterprise license
  • Administrator access to your identity provider (Okta, Microsoft Entra ID / Azure AD, Google Workspace, or any SAML/OIDC-compatible IdP)
  • Knowledge of your organization’s SSO configuration requirements

Onboarding steps

1

Receive your WorkOS invitation

After your enterprise license is provisioned, your designated IdP administrator receives an email from WorkOS with a link to access your organization’s WorkOS dashboard. This dashboard is where your SSO connection is configured.
WorkOS is the identity layer that powers Cline Enterprise SSO. You do not need a separate WorkOS account — access is provisioned automatically during onboarding.
2

Connect your identity provider

In the WorkOS dashboard, configure your identity provider connection:
  1. Go to AuthKit → Connections
  2. Click Add Connection
  3. Select your identity provider (Okta, Microsoft Entra ID / Azure AD, Google Workspace, Generic SAML, or Generic OIDC)
  4. Follow the provider-specific setup instructions shown in WorkOS
Each identity provider has its own required fields and setup flow. Follow the instructions shown in WorkOS for your chosen provider.For detailed per-provider instructions, see the WorkOS SSO documentation and the SSO setup guide.
3

Verify user provisioning is automatic

Cline Enterprise uses just-in-time (JIT) provisioning. No additional configuration is required:
  • Organizations are created automatically during onboarding.
  • Users are provisioned automatically on their first SSO sign-in.
  • Roles are assigned automatically based on the user’s role in your IdP.
  • No manual user invites or seat reconciliation is required.
Role changes made in your IdP sync to Cline on the user’s next sign-in.
4

Review role mapping

User roles map from your IdP to Cline automatically:
IdP roleCline role
Admin / OwnerAdmin
Member (any other)Member
The first Owner of the organization is created manually during onboarding. All subsequent users are provisioned via IdP role mapping.For a full breakdown of what each role can access, see Team management.If you need to configure additional user attribute mappings (such as email or display name):
  1. Go to Settings → Authentication → User Attributes in the Cline admin console.
  2. Map attributes based on your IdP configuration.
See the WorkOS user object documentation for available attributes.
5

Test the SSO connection

Before rolling out to your team, verify the end-to-end sign-in flow:
  1. In the WorkOS dashboard, click Test SSO Connection (or sign in at app.cline.bot).
  2. You are redirected to your IdP’s login page.
  3. Authenticate with a test user’s credentials.
  4. After successful authentication, you are redirected back to Cline.
  5. Confirm that the test user’s name, email, and role display correctly.
Expected result: The test user is authenticated, their account details are visible, and their role matches what is configured in your IdP.If the test fails: Double-check redirect URIs, SAML certificates, and attribute mappings in your IdP configuration. See the WorkOS troubleshooting docs or the SSO setup guide.
6

Configure your inference provider

With SSO working, configure the AI provider your team will use. This is done in the Cline admin console at app.cline.bot under Settings → Cline Settings.Supported providers for centralized configuration:
  • Amazon Bedrock
  • LiteLLM proxy
  • Google Vertex AI
Once saved, all organization members receive the provider configuration automatically when they sign in. See Provider configuration for step-by-step instructions.
7

Distribute the extension and verify access

Distribute the Cline VS Code extension to your team through your existing software distribution tooling (Intune, Jamf, a managed VS Code policy, etc.).First-time sign-in flow for developers:
  1. Developer opens Cline and clicks Sign in with SSO.
  2. They authenticate via your organization’s IdP.
  3. Cline automatically creates their account in your organization.
  4. Their role is assigned based on IdP role mapping.
  5. They are redirected to Cline and can begin working immediately.
No manual invite or approval step is required for developers whose IdP accounts are active.

Verification checklist

After completing the steps above, verify the following before broad rollout:
  1. A test user can sign in through the SSO flow from app.cline.bot.
  2. The test user is automatically created with the correct organization assignment.
  3. The user’s name, email, and role are correctly populated from your IdP.
  4. A role change in your IdP is reflected in Cline on the user’s next sign-in.
  5. A user removed from your IdP loses access on their next sign-in attempt.
  6. Authentication events appear in the WorkOS audit logs.

Managing access over time

All ongoing access management is handled through your IdP:
Action in IdPEffect in Cline
Add userAccess granted automatically on first login
Change user roleRole updated on next login
Remove userAccess revoked on next login attempt
To change your identity provider after initial setup, contact Cline support. This process requires coordination with the Cline team.

Build docs developers (and LLMs) love

Get started for freeTalk to us