HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Manage SSO for your HCP organization

This page describes the processes to manage SSO configurations for an HCP organization, including how to update, disable, and delete an existing SSO configuration.

Manage an HCP Organization with SSO enabled

Organization owners and admins can configure SSO. The Single Sign-On page in Settings displays a summary of the current SSO configuration.

Users

When you enable SSO for an organization, the user invitations feature is no longer offered. You must provision new users through the external identity provider.

User accounts that join through SSO are limited to that one organization, cannot be associated with an existing personal account such as GitHub or email, and cannot be invited to other organizations within HCP.

After you provision a new user, HCP grants them the default role you selected when configuring SSO for your organization. An HCP administrator can then manually update and increase their user permissions on the HCP Access Control page.

Existing personal user accounts can still access the organization unless an administrator removes them. Existing SAML user accounts with emails matching the configured SSO domain must log in with the SSO URL link. This link is available on the Single Sign-On page in Settings.

It is important to delete SSO accounts for users that were removed from your identity provider and ensure that any permissions/tokens granted to them by an HCP product is also removed.

Admins and owners

The administrator who owns the organization and enabled SSO can still use their original, non-SSO account to sign in to the HCP web portal and access the SSO-enabled organization. If they previously signed in through GitHub, they can continue to access the organization through GitHub as well.

Update SSO configuration

Organization owners and admins can edit an SSO configuration.

To edit SSO:

  1. Log in to HCP and go to your organization.
  2. From your organization, click Organization settings.
  3. Click SSO.
  4. Open the Manage menu and select Edit. Users can modify the list of domains, the public signing certificate, endpoints, and the default organization role.

Users can add and remove domains, but domains cannot be empty.

  • Adding a new domain will allow users with an email address matching the domain to sign up as new SSO users. SSO users using email addresses for the other domains will not be affected. You must also provision new domains on your identity provider and configure them for the Auth0-SSO-Connection.
  • Removing an existing domain will affect SSO users whose email addresses match the removed domain. They can sign in through other methods but will become different users in the database. Organization administrators can remove inactive users from the organization.

Disable SSO connection

You can temporarily suspend your existing SSO connection without deleting existing configurations. This approach is useful for operations such as troubleshooting, identity provider outages, and policy changes. When you suspend SSO, user invitations automatically activate. That means existing users can invite other users to your HCP organization according to your current access management settings.

To disable your SSO connection:

  1. Log in to HCP and go to your organization.
  2. From your organization, click Organization settings.
  3. Click SSO.
  4. Next to your Enabled SSO connection, click .... Then click Disable connection.
  5. Review the warning that appears. Then click Disable.

HCP returns you to the Single sign-on details page. Your connection's status should appear as Disabled.

When you are ready to re-enable your connection, click ... and Enable connection.

Delete SSO connection

Organization owners and admins can delete an SSO configuration from their organization.

Warning

When you delete an SSO configuration, no SSO user can sign in to HCP. Current SSO users will remain in the organization as inactive.

To delete SSO from an organization:

  1. Log in to HCP and go to your organization.
  2. From your organization, click Organization settings.
  3. Click SSO.
  4. Next to the SSO connection you want to delete, click .... Then click Delete connection.
  5. A dialog appears for you to confirm the deletion of SSO from this organization.
  6. Type DELETE and then click Delete.

After deletion, organization owners and admins can re-invite users with the default Access Controls (IAM) system.

Edit this page on GitHub