One of the first questions IT and security teams ask about MentorNeko is "does it support SSO?" This article gives you the straight answer: how authentication actually works, why there are no passwords anywhere in the system, and how single sign-on requirements are handled.
How Does Authentication Work at a Glance?
MentorNeko is entirely passwordless. To log in, a member enters their email address on their organization's login page (for example acme.mentorneko.com), receives a secure link by email, and clicks it. A short verification step confirms the click came from a person rather than an automated email scanner, and the member is in.
Login page showing the email input field and 'Send me a link' button
Screenshot placeholder
For the full member-facing walkthrough, see How Magic Links Work.
Why Are There No Passwords?
MentorNeko never creates or stores a password for any user. That is a deliberate design choice, not a missing feature:
- There are no credentials to phish, reuse, or leak in a breach. A password database that does not exist cannot be stolen.
- There is nothing to forget or reset, which matters for a platform members may visit weekly rather than daily.
- Access is anchored to the one credential your organization already governs: the corporate email account.
What Security Properties Should IT Teams Know About?
Links expire. Interactive login links are valid for 15 minutes and are invalidated immediately after a single use. Links embedded in notification emails (session reminders, introductions) are reusable for convenience, with an expiry your organization configures (30 days by default).
Access is tied to the corporate email account. A member can only log in if they can read email at their registered address. When someone leaves and IT deprovisions their mailbox, their ability to access MentorNeko goes with it, even before anyone touches the MentorNeko roster.
Deactivation takes effect immediately. When an admin deactivates or bans a member, that member is blocked from logging in right away. Existing links stop working; there is no lingering session to chase down.
Enrollment is controlled at the organization level. Admins choose between two modes: approve specific email domains so anyone with a matching work email is automatically provisioned, or run an invite-only roster where only explicitly listed members can join. Either way, nobody outside your organization can create an account.
Admin enrollment settings showing approved domain and invite-only options
Screenshot placeholder
Does MentorNeko Support SAML or OIDC SSO?
There is no off-the-shelf SAML or OIDC configuration: passwordless magic links are the standard authentication for every organization. When an enterprise engagement has a hard identity-provider requirement, that integration is scoped and built as part of the contract, because connecting to your IdP properly means working against your specific environment rather than shipping a generic toggle. If SSO is on your requirements list, raise it during scoping and it becomes a deliverable with a specification, not a roadmap promise.
For most IT teams, the magic-link model already covers what SSO is bought for:
- Access governance happens through the roster and email domain controls. The admin roster (kept current manually, via CSV Full Roster Sync, or via the Sync API) is the authoritative list of who can log in.
- Deprovisioning works the way you expect. Because every login requires access to the corporate inbox, cutting off the email account cuts off MentorNeko access. Removing the member from the roster makes it immediate and explicit.
- The day-to-day benefit of SSO is built in. Members have no separate password to manage, no credential to add to the password manager, and nothing extra for your helpdesk to reset.
What standard magic links do not give you is centralized session policy from your identity provider: conditional access rules, IdP-enforced MFA on this specific app, and a MentorNeko tile in your SSO portal. Those are exactly the requirements to bring up during contract scoping.
Who Should I Contact With Security Questions?
If your security team has a questionnaire or review process, your MentorNeko account contact can walk through authentication, data handling, and roster controls in detail. The honest summary to bring to that conversation: passwordless magic links, no stored credentials, organization-controlled enrollment, instant deactivation, and identity-provider integration scoped per contract when your requirements call for it.