General SSO Guide
If you are looking for specific instructions for a particular single sign-on (SSO) provider, check out our SSO guides in the Installation > SSO section.
In addition to offering integrations with a variety of SSO providers, strongDM also allows the use of any OIDC-compliant SSO service.
Provisioning and Suspension
When provisioning users via SSO, if you wish to enforce MFA for those users, you will need to do so via the SSO provider. Using Duo via strongDM is not an option when the users are authenticating via an SSO provider instead of directly with strongDM.
Only users visible in the strongDM Admin UI will be allowed to authenticate via SSO. Some SSO providers (such as Okta and Azure) additionally support provisioning features via SAML, which is not currently supported by strongDM. Users must be provisioned in strongDM manually in addition to being granted access within the SSO.
When users are suspended or deleted within the SSO provider, current sessions are terminated and future authentications will be disallowed.
When suspending or deleting a user in your SSO provider, you should also suspend or delete them within strongDM.
General SSO Options
When enabling SSO, you will see these options.
The first three fields are required for each SSO type. First select your provider from the dropdown. Then follow the steps in the SSO setup guide for your specific provider, to the left. Details on the Single Sign-on URL, the Client ID, and the Client Secret can be found in the individual SSO setup guides.
After filling in the three SSO-specific fields, there are three SSO-related options below that are available for all SSO configuration types. This page discusses the three options and their ramifications for your SSO user management.
Allow password login for admins
When this option is enabled, admins will be able to log in with SSO or with the password assigned to their strongDM account, which can be reset via a password reset email. This permits administrators to access the organization if SSO is down or misconfigured. For this reason, strongDM recommends that this option be enabled until you are confident your SSO configuration is set up properly. If this option is disabled and you are unable to use SSO to log in, you will need to contact strongDM Support to restore access to your organization.
Send a welcome email to users
If this option is enabled, new users will receive a welcome email. If it is disabled, then users will receive no notification that they have been created within strongDM, and it will be up to you to notify them separately.
Allow non-SSO users
This option allows you to invite users to the organization that are not in your SSO system (e.g., contractors, interns, etc.). These users will receive an invitation email with a link to set a password and will then be able to log in with that password. In the Users view of the Admin UI, these users will be tagged with a non-SSO flag.
Users created in this manner cannot be upgraded to Team Lead, Database Administrator, or Account Administrator. If you later wish to change a non-SSO user to a regular user, you will need to remove and recreate the user.