Acquisition complete HashiCorp officially joins the IBM family. Learn more
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Manage SSO for your HCP organization

This page describes the processes to manage SSO configurations for an HCP organization, including how to update and delete an existing SSO configuration.

Manage an HCP Organization with SSO enabled

Organization owners and admins can configure SSO. The Single Sign-On page in Settings displays a summary of the current SSO configuration.

Users

When you enable SSO for an organization, the user invitations feature is no longer offered. You must provision new users through the external identity provider.

User accounts that join through SSO are limited to that one organization within HCP and can’t be associated with an existing personal account such as GitHub or email. After you provision a new user, HCP grants them the default role you selected when configuring SSO for your organization. An HCP administrator can then manually update and increase their user permissions on the HCP Access Control page.

Existing personal user accounts can still access the organization unless an administrator removes them. Existing SAML user accounts with emails matching the configured SSO domain must log in with the SSO URL link. This link is available on the Single Sign-On page in Settings.

It is important to delete SSO accounts for users that were removed from your identity provider and ensure that any permissions/tokens granted to them by an HCP product is also removed.

Admins and owners

The administrator who owns the organization and enabled SSO can still use their original, non-SSO account to sign in to the HCP web portal and access the SSO-enabled organization. If they previously signed in through GitHub, they can continue doing so. If they signed in with an email and password, they can use a special force email + password sign-in link. This is because the login page defaults to SSO and hides the password when an email matches the configured SSO domain.

The organization owner can also sign up with a new SSO user principal and promote themselves to Admin if appropriate. However, they cannot remove their old user account or transfer ownership. They can use them as a recovery option if the SSO configuration requires troubleshooting.

Update SSO

Organization owners and admins can edit an SSO configuration.

To edit SSO:

  1. Click Settings and then click SSO. You will be redirected to the Single Sign-On page.
  2. Open the Manage menu and select Edit. Users can modify the list of domains, the public signing certificate, endpoints, and the default organization role.

Users can add and remove domains, but domains cannot be empty.

  • Adding a new domain will allow users with an email address matching the domain to sign up as new SSO users. SSO users using email addresses for the other domains will not be affected. You must also provision new domains on your identity provider and configure them for the Auth0-SSO-Connection.
  • Removing an existing domain will affect SSO users whose email addresses match the removed domain. They can sign in through other methods but will become different users in the database. Organization administrators can remove inactive users from the organization.

Delete SSO

Organization owners and admins can delete an SSO configuration from their organization.

Warning

When you delete an SSO configuration, no SSO user can sign in to HCP. Current SSO users will remain in the organization as inactive.

To delete SSO from an organization:

  1. Select Delete SSO Configuration in the Manage menu. A dialog appears for you to confirm the deletion of SSO from this organization.
  2. Type DELETE and then click Delete.

After deletion, organization owners and admins can re-invite users with the default Access Controls (IAM) system.