Single sign-on (SSO)
You can log in to the Sitecore Cloud Portal using the default Sitecore authentication or using single sign-on. With single sign-on, teams can log in to the Sitecore Cloud Portal and Sitecore apps using their existing identity providers.
Sitecore Cloud Portal supports identity providers that use the OpenID Connect (OIDC) protocol or Security Assertion Markup Language (SAML) protocol. An organization can have up to five SSO connections, with each connection supporting up to 50 domains.
Enabling an SSO connection
To enable SSO for your Sitecore Cloud Portal organization and apps, you need to configure OpenID Connect or SAML.
When your organization enables an SSO connection:
-
Team members that have email addresses with the email domain of an enabled SSO connection will log in using their identity provider in all organizations.
-
Users that belong to the domain of an enabled SSO connection still need to be invited to your organization and accept the invitation before they can log in.
-
Team members that don't belong to an enabled SSO connection are unaffected. They can still log in and retain their current organization role and app roles.
-
Email addresses that do not match the email domain of an enabled SSO connection will log in using the default Sitecore authentication.
-
You have the option to assign XM Cloud roles with claims mapping.
SSO connection sharing
An SSO connection belongs to a single organization but can be shared with other organizations.
When an organization creates and enables an SSO connection, all email addresses that belong to the email domains of the SSO connection will automatically use SSO when they log in to any organization.
When a user logs in to another organization that they have access to, the existing SSO connection is automatically used and doesn't require additional setup.
For example, in organization A, you create and enable an SSO connection with the email domain example.com. Then in organization B, if you invite a team member with an example.com email address, they will automatically use SSO when they log in to organization B.
Deleting an enabled SSO connection
When you delete an enabled SSO connection:
-
Team members associated with the deleted SSO connection can still log in using the default Sitecore authentication.
In most cases, these team members need to reset their password before they can log in. However, if a team member joined the organization before an SSO connection was enabled and can remember their old password, they can log in using their old credentials.
-
Pending invitations to email addresses associated with the deleted SSO connection domain must be sent again.