Enforcing Single Sign-On in Your Organization

Important:To enforce single sign-on in your organization, you must have the Administrative privileges in your organization’s identity provider and one of the following Flexera One roles: Manage organization or Administer organization. For complete descriptions of each role available in Flexera One, see Flexera One Roles.

Single Sign-On (SSO) enforcement is an organization-wide security setting available after identity provider (IdP) configuration is complete. When SSO enforcement is enabled, users accessing an org's resources must sign in through an identity provider in that org.

The following steps explain how to enforce SSO in your organization.

To enforce SSO in your organization:

1.

Connect at least one Identity Provider (IdP) to your organization (org). For detailed guidance, see the following:

•

Adding a New Identity Provider

•

Adding a Domain

•

Verifying a Domain With a TXT Record

•

Creating a New Signing Key

Note:If multiple IdPs are set up in an org, users may sign in through any of them when the org is enforcing SSO.

2.

Confirm that users are able to sign in to Flexera One through the IdP.

Important:When SSO is enforced, users who are unable to sign in with one of the org's IdPs will lose access to the org.

3.

It is recommended to set up Just-In-Time (JIT) provisioning for onboarding users in an organization that uses SSO. For details, see Just-In-Time Provisioning and Group Sync.

Note:Email-based invitations are disabled when an org enforces SSO because email-based invitations bypass SSO. For more about email invitations, see Adding New Users.

4.

Enable SSO enforcement. After an IdP has been set up in Flexera One, click the Single sign-on is not enforced settings option in the upper-right corner of the Identity Providers screen to enable SSO enforcement.

5.

Select a default IdP for the org. Users who have not logged in through one of the org’s IdPs will be prompted to sign in through the org's default IdP.

Note:Consider the following:

•

Recovery: If an IdP is unavailable or there is a problem with the SSO connection, all users will be locked out of an organization that enforces SSO. In this scenario, contact Flexera support in the Flexera Community Portal.

•

Users with Passwords: Users who were added to Flexera One by accepting an invitation have set a password. A user who logs in with their password and attempts to access an org enforcing SSO will be forced to sign in through an IdP in that org.

•

Flexera One API Access: User access to Flexera One APIs is not currently subject to SSO enforcement. To work directly with Flexera One APIs, see Working with Flexera One APIs.