HashiCorp Cloud Platform
Single Sign-On Overview
HashiCorp Cloud Platform (HCP) allows organizations to configure SAML 2.0 SSO (Single Sign-On) as an alternative to traditional user management with GitHub and email-based options. This can help mitigate Account Take Over (ATO) attacks, provide a universal source of truth to federate identities from your identity provider (IDP), and help you better manage user access to your organization.
This page provides an overview of SSO for HCP and how to add, update and delete SSO configurations for an organization.
Managing an HCP Organization with SSO Enabled
Organization owners and admins can configure SSO. The Single Sign-On page in Settings displays a summary of the current SSO configuration.
Users
When you enable SSO for an organization, the user invitations feature is no longer offered. You must provision new users through the external identity provider.
User accounts that join through SSO are limited to that one organization within HCP and can’t be associated with an existing personal account such as GitHub or email. After you provision a new user, HCP grants them the default role you selected when configuring SSO for your organization. An HCP administrator can then manually update and increase their user permissions on the HCP Access Control page.
Existing personal user accounts can still access the organization unless an administrator removes them. Existing SAML user accounts with emails matching the configured SSO domain must log in with the SSO URL link. This link is available on the Single Sign-On page in Settings.
It is important to delete SSO accounts for users that were removed from your identity provider and ensure that any permissions/tokens granted to them by an HCP product is also removed.
Admins and Owners
The administrator who owns the organization and enabled SSO can still use their original, non-SSO account to sign in to the HCP web portal and access the SSO-enabled organization. If they previously signed in through GitHub, they can continue doing so. If they signed in with an email and password, they can use a special force email + password sign-in link. This is because the login page defaults to SSO and hides the password when an email matches the configured SSO domain.
The organization owner can also sign up with a new SSO user principal and promote themselves to Admin if appropriate. However, they cannot remove their old user account or transfer ownership. They can use them as a recovery option if the SSO configuration requires troubleshooting.
Configure SAML SSO
Refer to the following pages for instructions to set up SSO for specific identity providers.
Configure OIDC SSO
Refer to the following pages for instructions to set up SSO for specific identity providers.
Note: If you are using Google Open ID connect then we do not recommend using an external user type since it would allow any user with a Google account to authenticate with your HCP Organization. Please refer to this documentation about internal user type.
Update SSO
Organization owners and admins can edit an SSO configuration.
To edit SSO:
- Click Settings and then click SSO. You will be redirected to the Single Sign-On page.
- Open the Manage menu and select Edit. Users can modify the list of domains, the public signing certificate, endpoints, and the default organization role.
Users can add and remove domains, but domains cannot be empty.
- Adding a new domain will allow users with an email address matching the domain to sign up as new SSO users. SSO users using email addresses for the other domains will not be affected. You must also provision new domains on your identity provider and configure them for the Auth0-SSO-Connection.
- Removing an existing domain will affect SSO users whose email addresses match the removed domain. They can sign in through other methods but will become different users in the database. Organization administrators can remove inactive users from the organization.
Delete SSO
Organization owners and admins can delete an SSO configuration from their organization.
Warning: When you delete an SSO configuration, no SSO user can sign in to HCP. Current SSO users will remain in the organization as inactive.
To delete SSO from an organization:
- Select Delete SSO Configuration in the Manage menu. A dialog appears for you to confirm the deletion of SSO from this organization.
- Type DELETE and then click Delete.
After deletion, organization owners and admins can re-invite users with the default Access Controls (IAM) system.