Skip to main content

Enterprise connectors

Logto's Single Sign-On (SSO) solution simplifies access management for your enterprise clients. Enterprise SSO connectors are crucial for enabling SSO for your different enterprise clients.

These connectors facilitate the authentication process between your service and the enterprise IdPs. Logto supports both SP-initiated SSO and IdP-initiated SSO which allows organization members to access your services using their existing company credentials, enhancing security and productivity.

Enterprise connectors

Logto provides pre-built connectors for popular enterprise identity providers, offering quick integration. For custom needs, we support integration via OpenID Connect (OIDC) and SAML protocols.

Customize your enterprise connectors

If our standard connectors don't meet your specific requirements, don't hesitate to contact us.

Configuring enterprise connectors

  1. Navigate to: Console > Enterprise SSO.
  2. Click "Add enterprise connector" button and choose a connector type.
  3. Provide a unique name (e.g., Okta for Acme Company).
  4. Configure the connection with your IdP in the "Connection" tab. Check the guides above for each connector types.
  5. Customize the SSO experience and email domain in the "Experience" tab.
  6. For the SAML enterprise connector, enabling IdP-initiated SSO in the "IdP-initiated SSO" tab is optional. Refer to the guide for details.
  7. Save changes.

Please note the following settings:

  • Email domains: If the email domain of the email entered by the user is in the "Enterprise email domains" field of some enterprise SSO connectors, the user will be redirected to the corresponding sign-in URL of that SSO connector.

    note:

    It's important to note that after configuring relevant email domains in an SSO connector, users signing-in with emails belonging to those domains will be forced to use SSO sign-in.

    In other words, only emails from domains that are NOT configured in the SSO connectors can use "email + verification code" or "email + password" sign-in (provided that these two sign-in methods are enabled in the sign-in experience).

  • Sync user profiles: Choose when to synchronize user profile information (e.g., avatar, name). The default behavior is "Only sync at first sign-in". "Always sync at each sign-in" is another choice for this field, but may lead to custom user data overwriting.

  • Display information: Optionally, customize the display name and logo for the connector. This is very useful when multiple connectors are associated with the same email domain. Users will select the desired IdP from a list of SSO connector buttons before being redirected to the IdP login page.

Enabling enterprise SSO

  1. Navigate to: Console > Sign-in experience > Sign-up and sign-in.
  2. Enable the "Enterprise SSO" toggle.
  3. Save changes.

Once enabled, a "Single Sign-On" button will appear on your sign-in page. Enterprise users with SSO-enabled email domains can access your services using their enterprise identity providers (IdPs). To learn more about the SSO user experience, refer to User flows: Enterprise SSO.

Just-in-time to organization

In Logto, Just-in-Time (JIT) provisioning is a process used to auto-assign organization memberships and roles to users on-the-fly as they sign in to the system for the first time.

Logto provides an entry point for configuring SSO connector JIT provisioning within an organization, see reference.

FAQs

Impact on existing users after Enterprise SSO connector changes?
  • Adding SSO: The SSO identities will be linked to existing accounts if the email matches.
  • Removing SSO: Removes SSO identities linked to the account, but retains user accounts, and prompts users to set up alternative verification methods.
IdP-initiated SSO & SP-initiated SSO SAML vs. OpenID Connect