Skip to main content

Restrict a user to SAML single sign-on

Restrict a user to authenticate only through security assertion markup language (SAML) single sign-on (SSO) when SAML is configured for your account. Use this setting when your organization enforces centralised identity management through an identity provider.

Before you begin

  • SAML SSO must be configured and tested for your account before restricting users. See Secure your CertCentral account. [FLAG: cross-chapter link]

  • Confirm the user exists in the identity provider before applying this restriction.

  • Ensure at least one administrator retains access through an unrestricted authentication method to prevent account lockout.

Important

When SAML SSO-only access is enabled, the user cannot sign in with CertCentral credentials. They must authenticate through the configured identity provider. The user also loses the ability to modify their own username or email address — only an administrator or manager can make those changes.

Restrict authentication to SAML SSO

  1. In the CertCentral main menu, go to Account > Users.

  2. Select the user you want to update.

  3. Locate Authentication settings.

  4. Select Only allow this user to log in through SAML SSO.

  5. Select Update user.

The user must now authenticate through the configured identity provider. Their CertCentral credentials are no longer accepted at sign-in.

Related topics

Dans cette section​: