General SSO Guide
Last modified on February 1, 2023
In addition to offering integrations with a variety of single sign-on (SSO) providers, StrongDM also allows the use of any OIDC-compliant SSO service. If you are looking for specific instructions for a particular SSO provider, see our SSO guides in the Identity Providers section.
Provisioning and Suspension
StrongDM provides access to sensitive company-owned information and resources. When provisioning users via SSO, it is recommended to enable multifactor authentication (MFA) through the identity provider (IdP). With this action, you can maximize security when connecting to StrongDM.
For successful SSO authentications, users must be created in the StrongDM Admin UI. They must also exist with the correct access within the SSO provider. When a user is suspended or deleted from the SSO provider, their current sessions are terminated and future authentications are not allowed.
When you set up an SSO provider to authenticate with StrongDM and also enable Duo MFA in the Admin UI, Duo prompts during logins do not occur. In this scenario, Duo only plays a role to re-authenticate users when the StrongDM Desktop App locks due to inactivity, not during normal login attempts.
If using SSO, we recommend setting up MFA through your SSO provider to trigger MFA prompts during user logins.
General SSO Options
When enabling SSO in the StrongDM Admin UI, the following options display.
The first three fields are required for each SSO type. First select your provider from the dropdown. Then follow the steps in the SSO setup guide for your specific provider. Details for the Single Sign-on URL, the Client ID, and the Client Secret can be found in the individual SSO setup guides.
After filling in the three SSO-specific fields, three additional SSO-related options are available for all SSO configuration types. This page discusses these three options further while explaining their ramifications for your SSO user management.
Allow password login for admins
When this option is enabled, admins can log in with SSO or with the password assigned to their StrongDM account, which can be reset via a password reset email. This permits administrators to access the organization if SSO is down or misconfigured. For this reason, StrongDM recommends that this option be enabled until you are confident your SSO configuration is set up properly. If this option is disabled and you are unable to use SSO to log in, you can contact StrongDM Support to restore access to your organization.
Send a welcome email to users
If this option is enabled, new users receive a welcome email. When disabled, a notification is not sent when the user is created within StrongDM. You must notify them separately.
Allow non-SSO users
This option allows you to invite users to the organization that are not in your SSO system (for example, contractors, interns, etc.). These users receive an invitation email with a link to set a password to login. They can be identified by a non-SSO indicator on the Users page of the Admin UI.