Changes in Single-Sign-On V2


#1

Soon we are going to be rolling out some major improvements to how we approach SSO and integration with Google Auth and SAML providers. If you have SSO enabled currently, you won’t need to do anything, we’ll migrate you across without any disruption.

What’s New

  • Participate in multiple organizations with SSO (e.g primary org and a secondary open source org, hint hint)
  • Ability to invite users into an SSO organization prior to them joining, along with team membership
  • Invite Contractors and Bots with different email domains into an SSO organization
  • Force re-login via SSO after a timeout for security conscious orgs.
  • Allow requiring users to authenticate via SSO to access an organization
  • Team membership via SAML Attributes from your SSO provider
  • Self-service via GraphQL for enabling/disabling/switching SSO providers with zero downtime

What will change for users?

When the new system is enabled for an organization, everyone will be logged out. If they have a password associated with their account they will be prompted for it the first time they re-authenticate, but after that will go back to passwordless login.

For users with a single organization nothing has changed and they are unlikely to notice the differences after the initial re-authentication. Organization administrators will notice new controls around specifying whether users require SSO or not.

The new features are mainly around multiple organizations and allowing users to participate in multiple organizations each of which have their own SSO service.

When will this happen?

We’ll be rolling this change out to selected organizations over the next few weeks and then more broadly starting in December.

As always, we’d love feedback!