Single Sign-On (SSO) EnterpriseThis feature is available with an Enterprise plan.
The Single Sign-On (SSO) feature can be made available on a Strapi application to allow administrators to authenticate through an identity provider (e.g. Microsoft Azure Active Directory).
Plan: Enterprise plan.
Role & permission: Read & Update permissions in Roles > Settings - Single Sign-On.
Activation: Disabled by default.
Environment: Available in both Development & Production environment.
Configuration
- Go to the Global settings > Single Sign-On sub-section of the settings interface.
- Define your chosen new settings:
Setting name | Instructions |
---|---|
Auto-registration | Click on True to allow the automatic creation of a new Strapi administrator when an SSO login does not match an existing Strapi administrator account. If this setting is set on False, new Strapi administrators accounts must be created manually beforehand. |
Default role | Choose among the drop-down list the role to attribute by default to auto-registered Strapi administrators through SSO login. |
Local authentication lock-out | Choose among the drop-down list the roles for which the local authentication capabilities are disabled. Users locked out of local authentication will be forced to use SSO to login and will not be able to change or reset their password. |
- Click the Save button.
Don't select Super Admin in the roles list for the Local authentication lock-out. If Super Admin is selected, it becomes possible to accidentally lock oneself out of the Strapi admin panel entirely. A fix will be provided soon.
In the meantime, the only way to get in if the Super Admin can't log in is to temporarily disable the SSO feature entirely, log in with username and password to remove the Super Admin role from the Local authentication lock-out list, and then re-enable SSO.
Usage
To access the admin panel using a specific provider instead of logging in with a regular Strapi administrator account:
- Go to the URL of your Strapi application's admin panel.
- Click on a chosen provider, which logo should be displayed at the bottom of the login form. If you cannot see your provider, click the button to access the full list of all available providers.
- You will be redirected to your provider's own login page where you will be able to authenticate.