Enforcing Single Sign-On in Your Organization

Single Sign-On (SSO) enforcement is an organization-wide security setting available after identity provider (IdP) configuration is complete. When SSO enforcement is enabled, users accessing an org's resources must log in through an identity provider in that org.

The following steps explain how to enforce SSO in your organization.

To enforce SSO in your organization:

1. Connect at least one Identity Provider (IdP) to your organization (org). For detailed guidance, see the following:
Adding a New Identity Provider
Adding a Domain
Verifying a Domain with a TXT Record
Creating a New Signing Key

Note:If multiple IdPs are set up in an org, users may log in through any of them when the org is enforcing SSO.

2. Confirm that users are able to log in to Flexera One through the IdP.

Important:When SSO is enforced, users who are unable to log in with one of the org's IdPs will lose access to the org.

3. It is recommended to set up Just-In-Time (JIT) provisioning for onboarding users in an organization that uses SSO. For details, see Just-In-Time Provisioning and Group Sync.

Note:Email-based invitations are disabled when an org enforces SSO because email-based invitations bypass SSO. For more about email invitations, see Adding New Users.

4. Enable SSO enforcement. After an IdP has been set up in Flexera One, click the Single sign-on is not enforced settings option in the upper-right corner of the Identity Providers screen to enable SSO enforcement.

5. Select a default IdP for the org. Users who have not logged in through one of the org’s IdPs will be prompted to log in through the org's default IdP.

Note:Note the following:

Recovery: If an IdP is unavailable or there is a problem with the SSO connection, all users will be locked out of an organization that enforces SSO. In this scenario, contact Flexera support in the Flexera Community Portal.
Users with Passwords: Users who were added to Flexera One by accepting an invitation have set a password. A user who logs in with their password and attempts to access an org enforcing SSO will be forced to log in through an IdP in that org.
Flexera One API Access: User access to Flexera One APIs is not currently subject to SSO enforcement. To work directly with Flexera One APIs, refer to Working with Flexera One APIs.