Many organisations take advantage of Identity Providers to provide their users with a single account that they can then use to login to the various third-party cloud systems required to perform their job.
For example, a user may use the same account to log in to multiple systems such as Office 365, Salesforce, and Google Docs. When a user leaves the organisation it is simple to kill access to all services by disabling a single account from within the SSO provider's admin portal.
SSO is provided using the OpenID Connect standard. In theory, any Identity Provider who adheres to this standard can be used, however, we have validated (and provided instructions) the following well-known providers:
Rules for SSO user accounts
There are some special rules for SSO user accounts:
The e-mail address for the account must match up with the e-mail address of existing users within your organisation's Identity Provider.
Roles and permissions are still assigned when you add your users' accounts - your Identity Provider is only used to validate your user is allowed access.
The welcome e-mail the user receives is slightly different as they do not have to create a new password as they will be logging in with their corporate SSO account instead.
It is still possible to create non-SSO user accounts during account creation - it is recommended that at least one Administrator account be non-SSO to ensure that you can still login should there be an issue with SSO login.