Single Sign-On (SSO)
The Single Sign-On (SSO) feature can be made available on a Strapi application to allow administrators to authenticate through an identity provider (e.g. Microsoft Azure Active Directory).
Plan: Enterprise plan or SSO add-on.
Role & permission: Read & Update permissions in Roles > Settings - Single Sign-On.
Activation: Disabled by default.
Environment: Available in both Development & Production environment.
Configuration
General settings for SSO are available in the admin panel, and additional SSO providers can be configured via your Strapi project's code.
Admin panel settings
Path to configure the feature: Global settings > Single Sign-On
- In the Single Sign-On interface, define your chosen new settings:
| Setting name | Instructions |
|---|---|
| Auto-registration | Click on True to allow the automatic creation of a new Strapi administrator when an SSO login does not match an existing Strapi administrator account. If this setting is set on False, new Strapi administrators accounts must be created manually beforehand. |
| Default role | Choose among the drop-down list the role to attribute by default to auto-registered Strapi administrators through SSO login. |
| Local authentication lock-out | Choose among the drop-down list the roles for which the local authentication capabilities are disabled (see RBAC feature documentation). Users locked out of local authentication will be forced to use SSO to login and will not be able to change or reset their password. |
- Click the Save button.
Don't select Super Admin in the roles list for the Local authentication lock-out. If Super Admin is selected, it becomes possible to accidentally lock oneself out of the Strapi admin panel entirely. A fix will be provided soon.
In the meantime, the only way to get in if the Super Admin can't log in is to temporarily disable the SSO feature entirely, log in with username and password to remove the Super Admin role from the Local authentication lock-out list, and then re-enable SSO.
Code-based configuration
The SSO configuration lives in the /config/admin file. The following dedicated guide will help you configure additional sign-in and sign-up methods for the Strapi admin panel:
Usage
To access the admin panel using a specific provider instead of logging in with a regular Strapi administrator account:
- Go to the URL of your Strapi application's admin panel.
- Click on a chosen provider, which logo should be displayed at the bottom of the login form. If you cannot see your provider, click the
button to access the full list of all available providers. - You will be redirected to your provider's own login page where you will be able to authenticate.