SSO, SCIM, SAML, BYOK: what ships when.

Help center

HelpSecurity and accessSSO, SCIM, SAML, BYOK: what ships when.

Single sign-on availability at V1, the procurement-grade controls that ship with V2, and what you can do today instead.

Last reviewed 18 June 20263 min read

Picked at V1 supports email plus magic-link sign-in and Google Workspace SSO. SAML, SCIM, and BYOK are on the V2 enterprise tier in mid 2027.

What is on at V1.

Email plus magic-link. Default. No password.
Google Workspace SSO. Enforce a domain on the workspace; sign-in is restricted to that domain.
Two-factor (TOTP). Enforce per workspace under Security policy.
Session-length policy. Configurable from 8 hours to 30 days. Default 14 days.

What ships with V2.

SAML 2.0 (Okta, Azure AD, OneLogin).
SCIM 2.0 provisioning, including group-to-role mapping.
Customer-managed encryption keys (BYOK) for transcripts at rest.
IP allowlists per workspace.

V2 enterprise tier ships in mid 2027. If your procurement requires SAML and SCIM today, the practical recommendation is to wait for V2 or run Picked at the workspace level (e.g. for a single business unit) until the enterprise tier lands.

Microsoft Entra ID (formerly Azure AD) SSO is the most common procurement ask after Google Workspace; it ships alongside SAML in V2. If your organisation runs Entra ID, the realistic V1 path is to add picked.ai to your sanctioned-application list and run sign-in via email plus magic-link until the V2 enterprise tier lands.

SOC 2 Type II is in progress with Prescient Assurance and Drata. The report ships with V1 in Q4 2026.

What to do next: enforce Google Workspace SSO and two-factor on the workspace today; flag the V2 enterprise tier on the public roadmap.

SSOSCIMSAMLBYOKprocurement