Organization SAML single sign-on
Organization single sign-on (SSO) allows organization Owners to configure SAML SSO for all teams in your organization at once with a supported identity provider.
Organization SSO offers a secure and streamlined way to manage access to your organization and supports many popular identity providers, including:
- ADP
- Auth0
- Azure AD SAML
- Duo
- LastPass
- Okta
- OpenID
Users who log in with Team SSO must have an email address that matches their user ID in your identity provider. For example, a Netlify user with the email address jane@company.com
must also have this exact email address in your identity provider. Organization SSO does not support multiple email domains for your users.
# Organization SSO scope
By default, teams can log in to Netlify in different ways unless a team or organization Owner enforces SSO.
If organization and team SSO are not enforced, then all Owners, Collaborators, and Billing Admins can log in using any of the Netlify login options. The Netlify login options include GitHub, GitLab, BitBucket, email, or SAML SSO through an identity provider.
Organization Owners can enforce organization SSO and require all teams to log in to Netlify using your SSO configuration for authentication. This includes team members who have access to your team or site settings — Owners, Collaborators, and Billing Admins.
Reviewers and Git Contributors do not have access to your team or site settings. Reviewers can only access certain Deploy Previews and they are not required to log in with SSO to share review feedback on a Deploy Preview.
Once enforced, all team members with access to your site or team settings must log in to Netlify using organization SSO. Team members with this access include Owners, Collaborators, and Billing Admins.
# Understanding the user login experience with SSO
Are you a team member who needs to log in with Organization SSO?
If you are trying to log in as a team member, check out these docs just for you. Note that you can only log in using Organization SSO if you are a Collaborator, team Owner, or Billing Admin.
As an organization owner, if you don’t enforce organization SSO, then a team’s SSO settings apply when users log in using that team ID.
To log in to Netlify with organization SSO:
Navigate to your SSO login page with https://app.netlify.com/sso or by choosing Log in via SSO from the Netlify login page.
Enter a Netlify team ID for a team you have access to in the organization. This team ID may be a slug, such as
test-team-2
.Netlify will redirect you to your identity provider’s login page. Follow the prompts there to complete your authentication.
# Configure organization SSO
As an organization Owner, to set up a new organization SSO connection with a supported identity provider:
Navigate to your Organization overview page. At the top of the page, use the organization menu to select your organization, then select Organization overview.
Select Organization SSO, then select Edit configuration.
Follow the guided flow to set up an organization SSO connection with your preferred identity provider. We recommend testing your SSO connection after you set it up.
Note the name you use for your organization SSO connection
The name you use for your organization SSO connection can appear in your identity provider as a login option. If you have more than one SSO login option for Netlify, we recommend sharing the new name with your users.
Once successfully configured, your team has the option to log in to Netlify and access your organization’s resources using organization SSO.
# Enforce organization SSO
As an organization Owner, once you successfully set up SSO for your organization, you can then enforce SSO login for all teams in your organization.
As soon as you successfully set up organization SSO, any existing team SSO settings are disabled automatically. Organization SSO overrides team SSO and team owners can no longer manage SSO settings for their teams once organization SSO is set up.
Once you set up organization SSO and log in with SSO as an organization owner, you can enforce SSO login.
Once enforced, all team Owners, Collaborators, and Billing Admins must use your organization SSO configuration to access site/team settings. Enforcing organization or team SSO login does not apply to the Reviewer or Git Contributor Netlify roles, which also cannot access your team / site settings.
# Prepare to enforce organization SSO
As an organization Owner, you must log in using your organization SSO connection before you can require this authentication for all teams in your organization.
To ensure consistent site access, ensure that everyone who needs access to your site or team settings already has an account with your identity provider. If inviting new Netlify users, learn more.
New personal access tokens needed
Once you enforce organization SSO, any existing personal access tokens (PAT) will no longer work. You will need to generate new access tokens.
# Enforce organization SSO by editing your SSO configuration’s allowed login types
Once you log in using SSO at https://app.netlify.com/sso, follow these steps to enforce organization SSO for all of your teams:
Navigate to your organization overview page. At the top of the page, use the organization menu to select your organization if not already selected, then select Organization overview.
On your organization settings page, go to organization SSO, and select Edit login types.
Select Only SSO allowed (strict), then Save.
Can’t select the strict SSO option?
If you cannot select the strict SSO option, confirm that your organization SSO connection is successfully configured and that you have logged in to Netlify through your identity provider.
Now, anyone who wants to access your site or team settings must authenticate through your organization’s identity provider.
As an organization Owner, you can reverse enforced organization SSO at any time by selecting All login types allowed and confirming with Save.
# Invite new users through organization SSO
As an organization Owner, you can invite new Netlify users to your organization and give them customized access to the Netlify app.
To invite a new user to access the Netlify app with organization SSO enabled:
- If you haven’t already, invite the user to your identity provider using the same email address that you will use to invite them to Netlify.
Invite new user to identity provider first
If you do not invite the new user to your identity provider before inviting them to Netlify, they will not be able to log in with organization SSO. You must invite them to the identity provider first.
Navigate to your Organization overview page. At the top of the page, use the organization menu to select your organization, then select Organization overview.
On your Organization overview page, under Teams, select the team you want to add the Netlify team member to.
From your Team overview page, go to the Members tab, and select Add members.
Enter the email addresses for the people you want to add and select Continue. Note that while you can add more than one person at a time, you will only be able to give them the same role in the next step.
Choose one role for the new Netlify team members. You can choose from team Owner, Collaborator, or Billing Admin. If you chose Collaborator, choose which sites they can access. Then, select Send invites.
New Netlify users will receive a confirmation email. After confirming their email address, they can log in with organization SSO.
# Manage your organization SSO configuration
Once successfully configured, you can test your SSO connection, change your metadata configuration, or reset your SSO connection.
To change your organization SSO configuration:
Navigate to your Organization overview page. At the top of the page, use the organization menu to select your organization, then select Organization overview.
On your Organization settings page, go to Organization SSO, and select Edit configuration.
Use the SSO configuration portal to change your configuration.
# Delete your organization SSO configuration
If you want to use a different identity provider or default to any team SSO settings, you can delete your organization SSO configuration. If you would like to reset your SSO connection, consider managing your organization SSO configuration.
New personal access tokens needed
Once you delete your organization SSO configuration, any existing access tokens will no longer work. You will need to generate new access tokens.
To delete your organization SSO configuration:
Navigate to your Organization overview page. At the top of the page, use the organization menu to select your organization, then select Organization overview.
Go to Organization settings > Organization SSO and select Delete.
Did you find this doc useful?
Your feedback helps us improve our docs.