Skip to main content
IntentraIntentra/Docs

SSO Only (Force SSO)

SSO Only mode requires all users to authenticate through your identity provider (IdP). When enabled, password-based login is disabled for your organization and access is controlled entirely by your IdP.

Two SSO Modes

Intentra supports two levels of SSO:

SSO Enabled (Not Enforced)

  • SSO is available as a login option alongside password authentication
  • Users can sign in with either their password or SSO
  • Invitations still work normally
  • Users with matching email domains auto-join via SSO

This is the default state after configuring SSO. It lets you test SSO before enforcing it.

SSO Only (Enforced)

  • Password authentication is disabled for the organization
  • Users must be assigned the Intentra app in your IdP to sign in
  • Invitations are disabled — access is managed through the IdP
  • Users not assigned in the IdP cannot access the organization
  • Users who sign in via SSO with a matching email domain auto-join as Viewers

Only organization admins can enable SSO Only mode.

Enabling SSO Only

  1. Go to Settings > SSO
  2. Click Enable SSO Only
  3. Confirm the action

When you enable SSO Only:

  • The password connection for your Auth0 Organization is disabled
  • All pending invitations are cancelled
  • The "Invite Member" option on the Members page is replaced with an info banner

What Happens to Existing Users

Users Already in Your Organization

Existing members keep their access and roles. They must sign in through SSO on their next login. If they are not assigned the Intentra app in your IdP, they will be unable to sign in.

The "Alice at Acme" Scenario

Consider a user who already has a personal Intentra account with email [email protected], and Acme configures SSO with the acme.com domain:

  1. Alice's personal organization and all her data stay intact
  2. When Alice signs in through Acme's SSO, she is auto-joined to the Acme organization as a Viewer
  3. Alice can switch between her personal org and the Acme org using the organization switcher
  4. If Alice is removed from the IdP, she loses access to the Acme org but retains her personal org

Users Removed from the IdP

When a user is removed from (or unassigned from) the Intentra app in your IdP:

  • They can no longer authenticate via SSO
  • With SSO Only enabled, they cannot access the organization at all
  • Their membership in the organization remains until an admin manually removes them
  • They retain access to any other organizations they belong to (e.g., their personal org)

Admin Role Management

With SSO Only, access control is split between two systems:

SystemControls
Your IdPWho can sign in (app assignment, group membership)
Intentra Members pageWhat role each member has (Admin or Viewer)

To grant someone access:

  1. Assign them the Intentra app in your IdP
  2. They sign in via SSO and are auto-joined as a Viewer
  3. An admin can promote them to Admin on the Members page

To revoke access:

  1. Unassign or remove the user from the Intentra app in your IdP
  2. Optionally remove them from the Members page in Intentra

Disabling SSO Only

To return to the non-enforced SSO mode:

  1. Go to Settings > SSO
  2. Click Disable SSO Only

Password authentication is re-enabled for the organization. Existing SSO users continue to work. Invitations can be sent again.

SSO Enforcement - Intentra Docs