Skip to main content

Enterprise SSO identity

Enterprise SSO account linking

New users sign-in with enterprise SSO

When a new user signs up with an new enterprise SSO identity, Logto will automatically create a new user account associated with the enterprise identity.primary email, name and avatar will be automatically populated with the data provided by the IdP. Other additional user profile data will be stored under the user's SSO identity profile.

note

The profile linking situation could be different when SAML attribute mapping is not correctly configured or user email is not provided by the identity provider.

Existing users sign-in with enterprise SSO

If the working email address associated with the enterprise SSO identity matches an existing user account in Logto, Logto will link the enterprise SSO identity to the existing user account automatically.

note

Once an email domain has been associated with an enterprise SSO connector, all the existing users with the specified email domain will be restricted to sign in with the enterprise SSO connector. Their previous sign-in methods will be blocked. E.g. email/password, email verification code and social sign-in methods.

Multi-factor authentication (MFA) with enterprise SSO

When using enterprise SSO, MFA requirements are typically managed by the IdP. In Logto, all authenticated identities from the IdP are considered trusted, so MFA validation is bypassed for users signing in via enterprise SSO to enhance the user experience. It’s essential to ensure that MFA protection is enabled on the IdP side.

Deleting an enterprise connector

When you delete an enterprise connector from Logto:

  • User accounts remain: The user accounts are not deleted; only their link to the enterprise identity provider is removed.
  • Next time users sign in: The next time these users attempt to sign in, they will be prompted to use an alternative method, such as the standard sign-in method configured in Logto (e.g., email and password). If they haven't previously set a password, they will be guided to create one at this point.
  • User SSO identity profile deletion: The user's SSO identity as well as the associated profile data will be deleted from Logto.