Cerbos authorization for WorkOS
WorkOS provides enterprise-ready SSO, Directory Sync, and Organizations for B2B applications. Cerbos uses WorkOS identity signals like organization memberships, directory groups, and user roles to make fine-grained authorization decisions across your multi-tenant application.
Organization-scoped policies
Use WorkOS Organization memberships and roles to drive multi-tenant authorization policies in Cerbos
Directory Sync groups
Reference customer directory groups from Okta, Azure AD, or Google Workspace as principal attributes in Cerbos policies
Enterprise SSO context
Use SSO connection type, organization, and IdP attributes from WorkOS profiles to make authorization decisions
How Cerbos works with WorkOS
WorkOS handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with WorkOS
- Users authenticate via WorkOS, WorkOS handles enterprise SSO (SAML/OIDC), social login, and email/password authentication. Directory Sync keeps user profiles and group memberships current from the customer's identity provider.
- Extract identity from the WorkOS session, Your application retrieves the WorkOS user profile, including organization membership, directory groups, and SSO connection details.
- Send identity and resource context to Cerbos, Pass the WorkOS user ID, organization ID, directory groups, and role as principal attributes alongside the target resource and action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the WorkOS identity data and resource context, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos use WorkOS Organizations?
WorkOS Organizations represent your customers' companies in a B2B application. Pass the user's organization ID, organization membership, and role to Cerbos as principal attributes. Your policies can enforce organization-scoped access rules, ensuring users only access resources within their own organization.
Can I use WorkOS Directory Sync groups with Cerbos?
Yes. Directory Sync pulls group memberships from your customers' identity providers (Okta, Azure AD, Google Workspace) into WorkOS. These groups are available on the user profile and can be passed to Cerbos as principal attributes, enabling policies based on the customer's own organizational structure.
Does this work with WorkOS SSO profiles?
Yes. When users authenticate via SAML or OIDC through WorkOS SSO, the profile includes the connection type, organization, and identity provider attributes. Pass these to Cerbos for policies that can differentiate authorization based on how the user authenticated or which enterprise connection they used.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + WorkOS
- Cerbos extends WorkOS roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.