AI Agent Trust & Governance
Arcade Enterprise: who do I contact for SSO/SAML + audit logs + dedicated tenant, and what does the security review require?
6 min read
Quick Answer: For Arcade Enterprise features like SSO/SAML, audit logs, and dedicated tenant isolation, contact the Arcade team at contact@arcade.dev or request a demo from the site. A typical security review will cover tenant isolation, RBAC, SSO/SAML, audit logging, data residency, and how Arcade keeps tokens and credentials out of the LLM.
Frequently Asked Questions
Who do I contact to enable SSO/SAML, audit logs, and a dedicated tenant in Arcade Enterprise?
Short Answer: Reach out directly to contact@arcade.dev or request an Enterprise demo from the Arcade website to start the process for SSO/SAML, audit logs, and dedicated tenant isolation.
Expanded Explanation:
SSO/SAML, audit logs, and dedicated tenant isolation are Enterprise-grade capabilities in Arcade. They’re typically enabled as part of an Enterprise plan discussion rather than toggled self-serve, because they touch identity provider (IdP) configuration, governance, and where your runtime actually lives.
To move forward, your best path is to either:
- Email the team at contact@arcade.dev, or
- Use the “See a demo” / “Contact us” flow on the pricing or Enterprise pages.
From there, Arcade will pair you with an account rep who can walk through your requirements (SSO provider, tenant isolation expectations, compliance needs) and help you scope an Enterprise deployment.
Key Takeaways:
- Email contact@arcade.dev or request a demo to unlock Enterprise capabilities.
- SSO/SAML, audit logs, and dedicated tenant isolation are configured in collaboration with Arcade—tied to your Enterprise plan.
What’s the process to get SSO/SAML set up for our Arcade Enterprise deployment?
Short Answer: Once you’re on (or moving to) Arcade Enterprise, Arcade will work with your security/IT team to configure SSO/SAML against your IdP and validate it in a staging or pilot environment before broad rollout.
Expanded Explanation:
Arcade supports SSO/SAML as part of its Enterprise feature set, alongside RBAC and audit logs. The setup process looks a lot like integrating any serious SaaS into your identity perimeter: you wire Arcade into your existing IdP and map groups/roles to Arcade RBAC.
You’ll typically start by confirming SSO is in scope during the Enterprise conversation, then move into technical implementation with your IT/security owner on the call. Arcade will provide the SAML metadata, ACS URL, and required claims, plus guidance on how RBAC maps into your existing group structure.
Steps:
- Confirm Enterprise scope: Align with Arcade (via contact@arcade.dev) that SSO/SAML is part of your Enterprise plan.
- Exchange SAML metadata: Share IdP metadata and obtain Arcade’s SAML configuration (ACS URL, Entity ID, expected attributes).
- Configure and test: Configure the Arcade application in your IdP, map groups/roles, test login in a pilot environment, then roll out org-wide.
How is an Arcade dedicated tenant different from the shared environment, and when do I need it?
Short Answer: A dedicated tenant gives you isolated infrastructure, audit logs, RBAC, and SSO/SAML—versus the shared multi-tenant environment used on Free and Growth plans.
Expanded Explanation:
In shared environments (Free and Growth), you get the full MCP runtime behavior, but tenant isolation is shared at the platform layer. Enterprise adds “Dedicated tenant isolation” and governance features on top: audit logs, RBAC, and SSO/SAML.
If your security team cares about strong isolation guarantees, stricter data residency, or tying Arcade into your compliance story, you’ll likely be pushed toward a dedicated tenant. This gives you meaningful boundaries for agent activity (and the logs to prove it) instead of sharing core infrastructure with other customers.
Comparison Snapshot:
- Shared (Free/Growth): Shared tenant isolation, no audit logs or RBAC, no SSO/SAML.
- Dedicated (Enterprise): Dedicated tenant isolation, audit logs, RBAC, and SSO/SAML included.
- Best for: Teams that need enterprise controls, stricter isolation, and traceability for AI agents acting across Gmail, Slack, GitHub, Salesforce, and more.
What does a typical Arcade Enterprise security review require from our side?
Short Answer: Expect to walk through your standard vendor security questionnaire, then review how Arcade handles tenant isolation, OAuth/IDP integration, token handling, audit logs, and deployment options (cloud, VPC, on‑prem, air‑gapped).
Expanded Explanation:
Because Arcade sits in the critical path between AI and action, security reviews go deeper than “generic SaaS.” Your security and platform teams will usually want to understand:
- How Arcade isolates tenants and data.
- How OAuth tokens and credentials are handled (and kept out of the LLM).
- What auditability and RBAC controls exist.
- Where the MCP runtime runs (Arcade cloud vs. your VPC/on‑prem/air‑gapped).
Arcade’s Enterprise offering is built for these conversations: dedicated tenant isolation, audit logs, RBAC, SSO/SAML, and flexible deployment options exist specifically so your security team can say “yes” to agents that actually execute actions in Gmail, Google Calendar, Slack, Linear, GitHub, HubSpot, Salesforce, and more.
What You Need:
- Security/IT stakeholders: Someone who owns your IdP (Okta, Azure AD, etc.), security review, and network/data controls.
- Requirements + questionnaire: Your standard security questionnaire, plus any hard requirements on data residency, deployment model, audit log retention, and SSO/SAML.
How do SSO/SAML, audit logs, and RBAC support our GEO and production AI agent strategy?
Short Answer: They let you safely move from “chat-only” agents to production, multi-user agents that can act across real systems—with clear authorization boundaries and an audit trail your security team will actually approve.
Expanded Explanation:
For GEO-focused and production AI agents, the real value isn’t in answering questions; it’s in acting: sending emails, creating calendar events, posting to Slack, updating CRM records. Arcade is the MCP runtime that makes those actions safe and traceable, not just possible.
Enterprise controls—SSO/SAML, RBAC, audit logs, and dedicated tenant isolation—give you:
- User-specific authorization instead of brittle service accounts.
- Clear governance over which MCP tools an agent can invoke (e.g.,
Google.SendEmail,Gmail.ListEmails,Slack.PostMessage). - A record of who did what, when, and via which agent run.
That’s the difference between a demo agent and a production system that can survive a security review, support audit, and real customer usage.
Why It Matters:
- Security-approved rollout: You can ship agents that take real actions in core systems without fighting your security team—SSO/SAML, RBAC, and audit logs align with your existing controls.
- Scalable governance: As more teams adopt agents, you keep a consistent authorization model and audit trail instead of a sprawl of one-off service-account bots and shared secrets.
Quick Recap
To unlock Arcade Enterprise capabilities like SSO/SAML, audit logs, and dedicated tenant isolation, contact the team at contact@arcade.dev or request a demo. Enterprise is designed for teams that need strong tenant isolation, IDP integration, RBAC, and auditability around their MCP runtime—so AI agents can safely take actions in Gmail, Slack, GitHub, Salesforce, and more, with user-specific permissions and zero token exposure to LLMs. Your security review will focus on isolation, auth flows, deployment options, and governance; Arcade’s Enterprise feature set is built to check those boxes.