By default, when single sign-on (SSO) is enabled, each user can still choose to sign in with a password. If you want a group of users to authenticate only through your identity provider, you can enforce SSO at the user-profile level with the Enforce SSO access right.
Turn on the Enforce SSO access right, under the Advanced Security group in the user-profile editor. Everyone assigned to that profile must then sign in through SSO, and their password sign-in is refused and redirected to your SSO provider.
This lets you mix authentication methods on a single platform. For example, you can require your corporate employees to use SSO by placing them on a profile with Enforce SSO turned on, while external freelancers stay on another profile and keep password access.
Follow these steps to enforce SSO for a group of users:
-
Open the user-profile editor and select the profile you want to secure.
-
Open the Advanced Security group.
-
Turn on Enforce SSO and save.
-
Assign the relevant users to that profile.
For users on a profile with Enforce SSO turned on, the options that no longer apply are hidden, both in the administrator's people-management view and on the user's own My account page. This includes the Reset password action, the password-reset email, and the login-name and password fields. The public Forgot password flow also stops sending password resets to these users. You can still enable, disable, or delete a login, and you can still assign or change a user's profile.
SSO sign-in and personal API-key access remain available for these users.
Enforce SSO is off by default, so existing users and profiles are not affected, and it has no effect unless an SSO provider is configured on your platform. If a user ever locks themselves out, an administrator can recover access by reassigning that user to a profile that does not have Enforce SSO turned on.
Learn More
-
Single Sign On (SSO): Set up single sign-on with your identity provider.
-
Access Rights: View, edit, assign, and create access rights for user profiles.