You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/aws/enterprise/sso/index.md
+18-1Lines changed: 18 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -218,6 +218,23 @@ After configuring the base details for your Identity Provider (IdP), the followi
218
218
219
219
220
220
221
+
## Strict SSO Mode
222
+
223
+
Strict SSO Mode is an optional security enhancement that requires all members of your organization to authenticate exclusively through the configured Identity Provider (IdP). Once enabled, standard username/password login is disabled for your organization and the configured IdP becomes the only permitted way to sign in.
224
+
225
+
This provides two key security benefits:
226
+
227
+
-**Leaked credential protection**: Even if a user's LocalStack password is compromised, attackers cannot log in without going through your IdP.
228
+
-**Revocation enforcement**: When an employee's account is removed or suspended in your IdP, they immediately lose access to LocalStack.
229
+
230
+
### Enabling Strict SSO Mode
231
+
232
+
To enable strict mode, open the identity provider configuration in your LocalStack Web Application profile settings under **Single Sign-on**, and toggle the **Enable Strict SSO Mode** checkbox in the identity provider settings.
233
+
234
+
:::caution
235
+
Before enabling strict mode, ensure all team members have linked their accounts to the configured Identity Provider. Once strict mode is active, any user who has not completed SSO setup will be unable to sign in via password.
236
+
:::
237
+
221
238
## User Roles and Permissions
222
239
223
240
For each new member that joins your org, you can specify user roles and permissions that should be assigned to them.
@@ -227,4 +244,4 @@ For each new member that joins your org, you can specify user roles and permissi
227
244
- Tip: In order to enable self-serve licences (i.e., allowing your users to allocate themselves their own license), make sure to select the **Allow member to issue a license for themselves (or a legacy API key)** permission.
228
245
229
246
230
-
247
+
0 commit comments