General SSO Guide

Last modified on February 1, 2023

In addition to offering integrations with a variety of single sign-on (SSO) providers, StrongDM also allows the use of any OIDC-compliant SSO service. If you are looking for specific instructions for a particular SSO provider, see our SSO guides in the Identity Providers section.

Provisioning and Suspension

StrongDM provides access to sensitive company-owned information and resources. When provisioning users via SSO, it is recommended to enable multifactor authentication (MFA) through the identity provider (IdP). With this action, you can maximize security when connecting to StrongDM.

For successful SSO authentications, users must be created in the StrongDM Admin UI. They must also exist with the correct access within the SSO provider. When a user is suspended or deleted from the SSO provider, their current sessions are terminated and future authentications are not allowed.

General SSO Options

When enabling SSO in the StrongDM Admin UI, the following options display.

General SSO Options
General SSO Options

The first three fields are required for each SSO type. First select your provider from the dropdown. Then follow the steps in the SSO setup guide for your specific provider. Details for the Single Sign-on URL, the Client ID, and the Client Secret can be found in the individual SSO setup guides.

After filling in the three SSO-specific fields, three additional SSO-related options are available for all SSO configuration types. This page discusses these three options further while explaining their ramifications for your SSO user management.

Allow password login for admins

When this option is enabled, admins can log in with SSO or with the password assigned to their StrongDM account, which can be reset via a password reset email. This permits administrators to access the organization if SSO is down or misconfigured. For this reason, StrongDM recommends that this option be enabled until you are confident your SSO configuration is set up properly. If this option is disabled and you are unable to use SSO to log in, you can contact StrongDM Support to restore access to your organization.

Send a welcome email to users

If this option is enabled, new users receive a welcome email. When disabled, a notification is not sent when the user is created within StrongDM. You must notify them separately.

Allow non-SSO users

This option allows you to invite users to the organization that are not in your SSO system (for example, contractors, interns, etc.). These users receive an invitation email with a link to set a password to login. They can be identified by a non-SSO indicator on the Users page of the Admin UI.