Note: If you are looking for SSO-specific instructions, check out our SSO guides in the Integrations section.
Only users visible in the strongDM Admin UI will be allowed to authenticate via the SSO. Some SSOs (such as Okta and Azure) additionally support provisioning features via SAML or SCIM, which are not currently supported by strongDM. Users must be provisioned in strongDM manually in addition to being granted access within the SSO. For more information, please contact your Account Manager.
When users are suspended or deleted within the SSO, current sessions are terminated and future authentications will be disallowed.
Warning: When suspending or deleting a user in your SSO, you must additionally suspend or delete them within strongDM.
When enabling SSO, you will see these options.
The first three fields are required for each SSO type. First select your provider from the drop-down, then follow the steps in the SSO setup guide for your specific provider, to the left. Details on the Single Sign-on URL, the Client ID, and the Client Secret can be found in the individual SSO setup guides.
After filling in the three SSO-specific fields, there are three SSO-related options below that are available for all SSO configuration types. This page discusses the three options and their ramifications for your SSO user management.
When this option is enabled, admins will be able to log in with SSO or with the password assigned to their strongDM account, which can be reset via a password reset email. This permits administrators to access the organization if SSO is down or misconfigured. For this reason, strongDM recommends that this option be enabled until you are confident your SSO configuration is set properly. If this option is disabled and you are unable to use SSO to login, you will need to contact strongDM support to restore access to your organization.
If this option is enabled, new users will receive a welcome email. If it is disabled, then users will receive no notification that they have been created within strongDM, and it will be up to you to notify them separately.
This option allows you to invite users to the organization that are not in your SSO system (e.g. contractors, interns). These users will receive an invitation email with a link to set a password and will then be able to log in with that password. In the Users view of the web UI, these users will be tagged with a non-SSO flag.
Important: Users created in this manner cannot be upgraded to Team Leader, Database Administrator, or Account Administrator. If you later wish to change a non-SSO user to a regular user, you will need to remove and recreate the user.