General SSO Guide
Last modified on August 10, 2023
In addition to offering integrations with a variety of single sign-on (SSO) providers, StrongDM also allows the use of any OpenID Connect (OIDC)-compliant SSO service. If you are looking for specific instructions for a particular SSO provider, see our SSO guides in the Identity Providers section.
Provisioning and Suspension
StrongDM provides access to sensitive company-owned information and resources. When provisioning users via SSO, it is recommended to enable multifactor authentication (MFA) through the identity provider (IdP). With this action, you can maximize security when connecting to StrongDM.
For successful SSO authentications, users must be created in the StrongDM Admin UI. They must also exist with the correct access within the SSO provider. When a user is suspended or deleted from the SSO provider, their current sessions are terminated and future authentications are not allowed.
When you set up an SSO provider to authenticate with StrongDM and also enable Duo MFA in the Admin UI, Duo prompts during logins do not occur. In this scenario, Duo only plays a role to re-authenticate users when the StrongDM Desktop App locks due to inactivity, not during normal login attempts.
If using SSO, we recommend setting up MFA through your SSO provider to trigger MFA prompts during user logins.
General SSO Options
When enabling SSO in the StrongDM Admin UI (Settings > User Management > Single Sign-on), there are several fields to complete, starting with the provider. Once a provider is chosen, the rest of the fields appear. Follow the steps in the SSO setup guide for your specific provider for details on the values needed for these fields.
After filling in the provider-specific fields, three additional SSO-related options are available for all SSO configuration types. This section discusses these three options further while explaining their ramifications for your SSO user management.
Allow password login for admins
When the Allow password login for admins? option is enabled, current or future administrators can log in with either SSO or password credentials. The password can be reset any time via a password reset email.
If using SSO, they log in to StrongDM by clicking the login button for their respective SSO provider (for example, if the provider is Okta, the button is Log in with Okta) and entering their credentials for that provider. If using a password, they log in in by entering their username and password for StrongDM and clicking Log in.
This option permits administrators to access the organization if SSO is down or misconfigured. For this reason, StrongDM recommends that this option be enabled until you are confident that your SSO is configured properly. If this option is disabled and you are unable to use SSO to log in, you can contact StrongDM Support to restore access to your organization.
Send a welcome email to users
If the Send a welcome email to users? option is enabled, new users receive a welcome email. When disabled, a notification is not sent when the user is created within StrongDM. You must notify them separately.
Allow non-SSO users
The Allow non-SSO users? option allows the creation of a user whose permission level is only User and who can only log in to StrongDM with a password. This option is useful if you want to invite users to the organization who are not in your SSO system but need access to some resources (for example, contractors, interns, and so forth).
To create non-SSO users, first select Allow non-SSO users? and save the SSO settings. Then go to the Admin UI’s Users page, click Add user, and select the non-SSO checkbox. The user receives an invitation email with a link to set a password to log in.
Going forward, whenever the non-SSO user logs in to StrongDM, they enter their username and password, and click Log in.
Non-SSO users can be identified by the non-SSO indicator beside their name on the Users page of the Admin UI.
Non-SSO users cannot be upgraded to Administrator, Team Leader, or Database Administrator. To change a non-SSO user to a regular user, remove and recreate the user.
To create a non-SSO admin, add the user manually in StrongDM, but don’t select the “non-SSO” checkbox. Because they were created in StrongDM, they won’t be managed by the SSO provider. Moreover, because the checkbox was not selected, they won’t be limited to the User permission level.
If SSO is configured for your organization but you want to use a non-SSO account to log in to the StrongDM CLI or client, create a matching account without using your SSO provider, or (for CLI only) use an admin token.
SSO Reauthentication
By default, when SSO (currently for Okta only) is set up for an organization, users must re-authenticate when logging in to StrongDM. If you have a reason to remove this reauthentication behavior, such as a conflict with your MFA service or a specific setup of your SSO service, this setting (located in the Admin UI at Settings > Security > SSO Reauthentication) allows you to disable it. In most cases, we recommend that the setting remain at its default No position, in order to help prevent clickjacking attacks.