Identity OS · cycle 78 · 2026-05-18

Your app, enterprise-ready — with the agent OS underneath.

Start selling to enterprise customers with a single integration: SAML, OIDC, SCIM, audit logs, MFA, RBAC, vault, radar. Same primitives WorkOS sells — wired directly into neww.ai’s run-state machine so identity controls agent capability, not just routes.

Connectors
22catalog rows
Shipped + Partial
10/ 22 backed by code
Audit event types
61hash-chained
Net advantage vs WorkOS
-8capability points
See the connector catalogCompare to WorkOS, Auth0, Stytch

11 agent-OS differentiators · 15 radar signals

02 · Connector catalog

22 identity & directory connectors

Same 20+ enterprise services WorkOS supports — Okta, Entra ID, Google, JumpCloud, Ping, OneLogin, ADFS, BambooHR, Rippling, Workday — plus social and HRIS extensions WorkOS does not list (GitHub, Gusto).

neww.ai avg score
5.68
Competitor avg
7.16
Net advantage
-1.48

Enterprise SSO (10)

Okta (SAML 2.0)

SAML

PARTIAL

neww.ai handles Okta via existing scim/auth.ts; full metadata exchange ships cycle 79.

neww 7.5comp 8.5

Okta (OIDC)

OIDC

PARTIAL

OIDC provider config slot exists; production metadata cycle 79.

neww 7.5comp 8.5

Microsoft Entra ID (Azure AD)

SAML

PARTIAL

Entra ID profile shaped; tenant-ID claim parsing pending.

neww 7.0comp 9.0

Google Workspace SAML

SAML

SHIPPED

Google Workspace OAuth flow live via NextAuth Google provider.

neww 8.5comp 8.5

OneLogin (SAML)

SAML

PLANNED

Targeted cycle 79.

neww 5.0comp 7.5

Microsoft ADFS

SAML

PLANNED

Legacy on-prem; lower priority — most customers run Entra.

neww 4.5comp 7.0

JumpCloud

SAML

PLANNED

Targeted cycle 79.

neww 5.0comp 7.5

Ping Identity (PingFederate)

SAML

PLANNED

Enterprise demand catalyst.

neww 4.5comp 7.5

Duo SSO

SAML

PLANNED

Cisco-acquired; bundle with MFA push provider.

neww 4.0comp 7.0

Generic OIDC

OIDC

PARTIAL

Generic OIDC provider slot exists in NextAuth config.

neww 6.5comp 7.5

Directory Sync (4)

Okta (SCIM 2.0)

SCIM

PARTIAL

SCIM endpoints exist at /api/scim/*; full attribute mapping cycle 79.

neww 7.0comp 8.5

Entra ID (SCIM)

SCIM

PARTIAL

SCIM 2.0 endpoint mounted; Entra-flavoured patch ops pending.

neww 6.5comp 8.5

JumpCloud (SCIM)

SCIM

PLANNED

Targeted cycle 79.

neww 4.5comp 7.5

Google Workspace (Directory)

SCIM

PLANNED

Google directory API bridge.

neww 4.5comp 7.5

HRIS Bridge (4)

Rippling (HRIS)

HRIS

PLANNED

Differentiator: HRIS → agent capability provisioning.

neww 3.5comp 7.0

BambooHR

HRIS

PLANNED

SMB-segment HRIS.

neww 3.5comp 7.0

Workday HCM

HRIS

PLANNED

Mid-market+ HRIS; SOAP API.

neww 3.0comp 7.5

Gusto

HRIS

PLANNED

neww.ai advantage — WorkOS does not ship Gusto bridge.

neww 3.0comp 0.0

Social Login (4)

Google (Social)

SOCIAL

SHIPPED

Google OAuth live via NextAuth.

neww 9.5comp 9.0

Microsoft (Social)

SOCIAL

PARTIAL

Microsoft personal + work in single provider slot.

neww 7.0comp 8.5

GitHub

SOCIAL

SHIPPED

neww.ai dev-segment advantage — WorkOS does not list GitHub.

neww 9.0comp 0.0

Sign in with Apple

SOCIAL

PLANNED

Required for consumer iOS submissions.

neww 4.0comp 8.0

03 · Competitive matrix

neww.ai vs WorkOS · Auth0 · Stytch · Frontegg · BoxyHQ

20 capabilities scored deterministically. neww.ai leads by +-8 points against the next-best vendor (WorkOS).

FullPartialAdd-on $
Capabilityneww.aiWorkOSAuth0StytchFronteggBoxyHQ

Magic Auth (6-digit OTP)

AUTH

FullFullFullFullPartial

Passwordless magic-link

AUTH

FullFullFullFullFull

MFA — TOTP

AUTH

FullFullFullFullFullPartial

MFA — WebAuthn / passkeys

AUTH

FullFullFullFullFull

MFA — SMS

AUTH

PartialFullFullFullFull

Social login (Google, MS, Apple, GitHub)

AUTH

FullFullFullFullFullPartial

Enterprise SAML 2.0 SSO

SSO

PartialFullFullFullFullFull

Enterprise OIDC SSO

SSO

PartialFullFullFullFullFull

IdP-initiated discovery (domain-based)

SSO

PartialFullFullPartialFullPartial

SCIM 2.0 directory sync

DIRECTORY

PartialFullFullPartialFullFull

HRIS bridge (Rippling, Workday, Bamboo, Gusto)

DIRECTORY

PartialFullPartial

Real-time directory webhooks

DIRECTORY

PartialFullFullFullFullPartial

Immutable audit logs (SOC2 / HIPAA)

GOVERNANCE

FullFullFullFullFullFull

Role-based access control

GOVERNANCE

FullFullFullPartialFullPartial

ABAC — agent skill scope

GOVERNANCE

FullPartialPartial

Bot / abuse / anomaly radar

GOVERNANCE

PartialAdd-on $PartialPartial

Encrypted secret / PII vault

GOVERNANCE

PartialAdd-on $Add-on $

Hosted Admin Portal (CNAME, white-label)

DEVELOPER

PartialFullAdd-on $FullPartial

Multi-environment (dev/stg/prod)

DEVELOPER

PartialFullFullFullFullPartial

Agent run ↔ audit log binding

AGENT_OS

Full

neww.ai differentiator

Magic Auth (6-digit OTP)

Agent context preserved across magic-auth — user lands back in the agent run.

neww.ai differentiator

MFA — WebAuthn / passkeys

Step-up triggered by risk-classifier on HIGH/DESTRUCTIVE agent actions.

neww.ai differentiator

Social login (Google, MS, Apple, GitHub)

GitHub social login shipped — WorkOS does not list it.

neww.ai differentiator

HRIS bridge (Rippling, Workday, Bamboo, Gusto)

HRIS events provision agent-capability tokens, not just user accounts.

neww.ai differentiator

Immutable audit logs (SOC2 / HIPAA)

Audit rows link to AgentRun + run-state frames — WorkOS audit cannot.

neww.ai differentiator

Role-based access control

Roles scope to agent skill IDs, not just URL routes.

neww.ai differentiator

ABAC — agent skill scope

Only neww.ai authorizes per-skill access — incumbents lack the agent-OS layer.

neww.ai differentiator

Bot / abuse / anomaly radar

Anomaly scoring on RunEvent streams — detect runaway agent runs.

neww.ai differentiator

Encrypted secret / PII vault

Vault rows scoped to skill IDs — cross-skill access denied at PDP.

neww.ai differentiator

Multi-environment (dev/stg/prod)

Cross-env agent-run replay via cycle 75 replay-engine.

neww.ai differentiator

Agent run ↔ audit log binding

Net-new category — only neww.ai has the agent OS underneath identity.

04 · Admin Portal

White-label IT admin surface, CNAME-ready

Same hosted Admin Portal pattern WorkOS offers — your customer's IT admin self-serves SSO + SCIM setup at acme-corp.admin.neww.ai with your branding, your locale, your IdP guides.

  • Custom CNAME with verified TLS
  • 6 locales out of the box
  • 6 admin flows: SSO, SCIM, audit, MFA, RBAC, API keys
  • 5 step-by-step IdP guides (Okta, Entra, Google, JumpCloud, Ping)
acme-corp.admin.neww.ai
Portal preview

Connect your identity provider

Choose how your team signs in to Acme Corp.

Configure Okta SAML

7 steps · ~8 min

Configure →

Configure Microsoft Entra ID SAML

7 steps · ~10 min

Configure →

Configure Google Workspace SAML

7 steps · ~7 min

Configure →

05 · Feature substrate

Every WorkOS primitive — wired into the agent OS underneath

Audit logs

61 event types

categories: SSO · directory · MFA · RBAC · vault · radar · agent OS

Hash-chained immutable audit trail with agent-run linkage.

Directory sync

20 attributes mapped

user 11 · group 3 · HRIS 6

SCIM 2.0 + HRIS attribute map across user, group, and employment data.

Radar

15 signal kinds

challenge ≥ 0.5 · block ≥ 0.85

Anomaly scoring across login + agent-run signal streams.

RBAC + skill scope

4 starter roles

admin · member · viewer · agent-operator

Role-based access with per-agent-skill ABAC scope — the WorkOS gap.

Magic Auth

5-attempt limit

10-minute TTL · agent context preserved

6-digit OTP with hash-stored challenge + constant-time verify.

Vault

5 secret kinds

API_KEY · OAUTH · WEBHOOK · DATABASE · PII

Per-skill-scoped secret store. Cross-skill reads denied at PDP.

The wedge incumbents cannot copy

five differentiators
  1. 01

    RBAC for agent skills, not just routes

    Roles scope to skill IDs from the cycle-75 agent-OS registry. A user with role.member can run safe skills but not destructive ones. WorkOS, Auth0, Stytch all gate URLs — none gate skills.

    lib/identity-os/rbac-policy-engine.ts

  2. 02

    Audit row ↔ agent-run binding

    Every AgentRun emits an immutable, hash-chained audit row keyed by run ID. Compliance can replay the exact frames of a decision. Incumbents have audit logs; none link them to agent runs.

    lib/identity-os/audit-log-schema.ts

  3. 03

    MFA triggered by risk-classifier, not just login

    When a skill action is classified DESTRUCTIVE, the user must pass WebAuthn within the last 5 minutes — regardless of how recent their login is. Route-gated MFA cannot see agent intent.

    lib/identity-os/mfa-policy.ts

  4. 04

    Vault rows scoped to skill IDs

    A secret is readable only by the skills listed in its skillScope — even when the human user has broad org rights. Cross-skill access denied at the PDP layer. WorkOS Vault has no concept of agent skills.

    lib/identity-os/vault-secret-store.ts

  5. 05

    Radar for runaway agents

    Anomaly signals include AGENT_RUNAWAY (cost > P95 × 3 in 5 min) and AGENT_DESTRUCTIVE_CALL (skill outside approved scope). Detect rogue runs before $1k of compute. WorkOS Radar watches logins only.

    lib/identity-os/radar-anomaly.ts

Ship enterprise-ready identity in days, not quarters.

Connect any SAML or OIDC IdP, sync your directory, gate your agents — all from one surface, all wired into the run-state machine. No WorkOS-style per-connection bill.

Open Admin PortalTalk to an expert