»Single Sign-On Overview
HashiCorp Cloud Platform (HCP) allows organizations to configure SAML 2.0 SSO (Single Sign-On) as an alternative to traditional user management with GitHub and email-based options. This can help mitigate Account Take Over (ATO) attacks, provide a universal source of truth to federate identities from your identity provider (IDP), and help you better manage user access to your organization.
This page provides an overview of SSO for HCP and how to add and delete SSO configurations for an organization.
Only organization owners can configure SSO; other administrators do not have permission. The Single Sign-On page in Settings displays a summary of the current SSO configuration.
When you enable SSO for an organization, HCP disables user invitations. HCP returns an error when users try to invite other users to the organization, and users can no longer accept pre-existing pending invitations. You must provision new users through the external identity provider.
User accounts that join through SSO are limited to that one organization within HCP and cannot be associated with an existing personal (GitHub or email-based) account. After you provision a new user, HCP automatically grants them the least privileged role of organization Viewer. An HCP administrator can then manually update and increase their user permissions on the HCP Access Control page.
Existing personal user accounts can still access the organization unless an administrator removes them. Existing user accounts with emails matching the configured SSO domain must log in with the SSO URL link. This link is available on the Single Sign-On page in Settings.
The administrator who owns the organization and enabled SSO can still use their original, non-SSO account to sign in to the HCP web portal and access the SSO-enabled organization. If they previously signed in through GitHub, they can continue doing so. If they signed in with an email and password, they can use a special force email + password sign-in link. This is because the login page defaults to SSO and hides the password when an email matches the configured SSO domain.
The organization owner can also sign up with a new SSO user principal and promote themselves to Admin if appropriate. However, they cannot remove their old user account or transfer ownership. They can use them as a recovery option if the SSO configuration requires troubleshooting.
Refer to the following pages for instructions to set up SSO for specific identity providers.
Only organization owners can edit an SSO configuration. To edit SSO:
- Click Settings and then click SSO. The Single Sign-On page appears.
- Open the Manage menu and select Edit. You can modify the list of domains, the public signing certificate, and the endpoints.
You can add and remove domains, but domains cannot be empty.
- Adding a new domain will allow users with an email address matching the domain to sign up as new SSO users. SSO users using email addresses for the other domains will not be affected. You must also provision new domains on your identity provider and configure them for the Auth0-SSO-Connection.
- Removing an existing domain will affect SSO users whose email addresses match the removed domain. They can sign in through other methods but will become different users in the database. Organization administrators can remove inactive users from the organization.
The organization owner can fully delete the SSO configuration from their organization.
Warning: When you delete an SSO configuration, no SSO user can sign in to HCP. Current SSO users will remain in the organization as inactive.
To delete SSO from an organization:
- Select Delete SSO Configuration in the Manage menu. A dialog appears for you to confirm the deletion of SSO from this organization.
- Type DELETE and then click Delete.
After deletion, the organization owner can re-invite users with the default Access Controls (IAM) system.