Organization settings and security - Serval Documentation

Serval has two levels of settings: Organization settings (for Org Admins) and Team settings (for Team Managers). This page covers organization-wide admin, including Security (SSO, SCIM, domain policies)—plus users, teams, API keys, and audit. Per-team options (channels, SLAs, labels) are in Team settings. In the product, identity controls live under Organization settings → Security. In this guide, that same scope is documented under Security: SSO, SCIM, and domains—not on a separate URL.

Organization Settings

Access organization settings by clicking your organization name at the top of the sidebar, then selecting Settings.

Only Org Admins can access organization settings.

Users

Manage everyone in your organization:

View all users and their org roles (Member or Admin)
Invite new users
Deactivate users
Change organization roles

Teams

Create and manage teams:

Create new teams with a name and prefix
View team membership
Delete teams

Groups

Organize users into groups for easier management:

Create groups
Add/remove users from groups
Use groups for assignment rules and access policies

Security: SSO, SCIM, and domains

Only Org Admins can open Organization Settings → Security in the product. That screen groups authentication and directory controls in one place. The sections below match what you configure there.

Open organization settings from your organization name at the top of the sidebar, then choose Settings. Select Security in the sidebar under the Security section.

Serval connects identity providers using SAML 2.0 via WorkOS, including Okta, Google Workspace, Azure AD (Microsoft Entra ID), OneLogin, JumpCloud, PingFederate, and other SAML 2.0 compliant providers.

SSO

Connect and review SSO for your identity provider (SAML via WorkOS).
Confirm domain verification and overall SSO configured status from the card.
Use Require SSO when everyone must sign in through your IdP.

SCIM

Configure SCIM to sync users and groups from your identity provider into Serval.

Domain allowlist and filtering

Turn domain filtering on or off for your organization.
Add allowed domains so only matching email addresses stay in scope when users sync from connected directories and integrations.

Enforce domain filter

After allowed domains are saved, Enforce Domain Filter appears at the bottom of the domain allowlist card.

Click Check Users to run a dry run. Serval lists which users would be deactivated because their email does not match the allowlist.
Review the dialog. The admin running the check is never included in deactivation.
Confirm to deactivate all non-matching users in one step.

Users deactivated by enforcement remain deactivated while domain filtering stays enabled. Reactivation rules follow your domain policy until it changes.

API Keys

Manage programmatic access to Serval:

Create API keys with specific scopes
View and revoke existing keys
See last usage timestamps

Audit Logs

View a record of actions taken in your organization:

Filter by user, action type, or date range
Export logs for compliance

Support tokens

Enable time-bound access for Serval support engineers to assist with your tenant:

Generate tokens — Users can create time-limited support tokens from the profile menu (Get support).
Automatic expiration — Tokens expire after the configured duration with no manual cleanup required.
Full audit trail — All access performed via support tokens is logged for compliance and transparency.

For steps, security details, and how to revoke access, see Support → Support tokens.

Quick reference

I want to…	Go to…
Invite a new user to Serval	Org Settings → Users → Invite
Create a team	Org Settings → Teams → Create Team
Set up SSO	Org Settings → Security
Create an API key	Org Settings → API Keys
Add someone to my team	Team Settings → Team Members
Configure Slack channels	Team Settings → Channels
Set SLA targets	Team Settings → SLA
Create ticket labels	Team Settings → Labels

Steps that use Team Settings are documented in Team settings.