Enforce SSO
When an organization configures Single Sign-On (SSO) for their users to log in to the VIP Dashboard, they have the option to Enforce SSO in order to disallow all other authentication methods (e.g., GitHub, WordPress.com).
Prerequisite
A user must have at minimum an Org admin role to enable or disable Enforce SSO for an organization.
Considerations
When Enforce SSO is enabled:
- An Org admin will no longer be able to invite new users to the organization in the People – Invitations panel of the VIP Dashboard. New users can only be added within the account settings of the identity provider (IdP) that is currently configured for the organization’s SSO.
- New users added to the IdP will by default have an Org guest role with no assigned App role upon their first successful log in to the VIP Dashboard. A user with an Org admin role must update their Org role (and App role if needed) in order to have the correct access to the organization’s applications.
- Existing users in the organization who previously logged into the VIP Dashboard with a non-SSO method (e.g. GitHub, WordPress.com) will be blocked from accessing the organization’s VIP Dashboard until they are migrated to the SSO method by an Org admin.
Enable Enforce SSO
To enable Enforce SSO for Single Sign-On in the VIP Dashboard:
- Navigate to the organization view of the VIP Dashboard.
- Select “Single Sign-On” from the lefthand navigation menu.
- Select “Enforce SSO” from the submenu.
- Select the button labeled “Enable Enforce SSO“.
- In the confirmation dialog, select the button labeled “Confirm & Enable“.
Identifying existing users who will be blocked by Enforce SSO
When Enforce SSO is enabled, users in the organization who previously logged into the VIP Dashboard with a non-SSO method (e.g. GitHub, WordPress.com) will be blocked from accessing the organization’s VIP Dashboard.
To identify these affected users, the Org admin can:
- Navigate to the organization view of the VIP Dashboard.
- Select “People” from the lefthand navigation menu.
- Select the tab labeled “Platform Access“.
- Select “Blocked Auth Methods” filter from the “Auth Method” dropdown menu located at the upper left of the panel.
Migrating existing users to the SSO method
For affected users to regain access to the VIP Dashboard, the Org admin must ensure that the user has been added to the organization’s IdP. Instructions should then be provided to the user to log out of the VIP Dashboard and log back in with the configured SSO method.
When the user logs in to the VIP Dashboard with the SSO method, a new user account will be created for them, with a default Org guest role. The Org admin can either manually edit the user’s account with the correct access levels to the organization’s applications, or migrate their role and permissions from their previous account to the new one.
- Locate the user’s account from the list of users in the “Platform Access” tab that has used SSO as the Auth Method to log in.
- Select “Edit” to the right of the user in the “Actions” column.
- Follow the instructions to “Copy User Roles” from the user’s previous non-SSO account to the new account.
- After the settings for the new account have been updated and saved, the user’s non-SSO account can be optionally removed.
Disable Enforce SSO
To disable Enforce SSO for Single Sign-On in the VIP Dashboard:
- Navigate to the organization view of the VIP Dashboard.
- Select “Single Sign-On” from the lefthand navigation menu.
- Select “Enforce SSO” from the submenu.
- Select the button labeled “Disable Enforce SSO“.
- In the confirmation dialog, select the button labeled “Confirm & Disable“.
Last updated: December 22, 2023