Other: Force the use of SSO for logins
Not plannedHello,
I manage our Fivetran account and would like as many as users to use SSO as possible (due to security).
I'm aware that it's good practice to ensure that at least one account has a long and complex password instead of SSO, in case that the SSO mechanism fails for some reason. However, in all other cases I'd like my users to use SSO.
Options to improve the current situation might include:
- Add a "Use SSO" button on Fivetran log in page
- Add ability for account owner to force specific users to use SSO instead of a user name and password
- Add ability for account owner to clear a users' password
Many thanks,
Alastair
-
Official comment
Hi Alastair Bulloch and Jack C, thanks for the feedback. It sounds like you may already be aware that we DO allow account admins to force SSO for all users. That can be handled in the account settings here:
To confirm I understand, you are asking for more configurability around this, so that you can have at least one account that can use a password in case of an issue with SSO?
Thanks!
Amy
-
Alastair Bulloch - did you find a solution to this? Looking for the same type of requirement to force SSO and unset/deactivate password login for all users (expect perhaps a master break glass account in case SSO fails).
-
Not yet, unfortunately.
-
Amy Peterson - thanks, I had missed that setting.
I assume that this won't restrict authentication via API using the API Key and Secret for any scripted tooling we use?
Being able to override at a user or role level ( eg having a Super Admin or something) would be nice, but as long as there is a way to get back in if the SSO fails, such as getting in touch via email with Fivetran support then this should meet my needs.
Cant speak for Alastair Bulloch however.
Many thanks for the follow up!
-
-
Hi Amy,
Yes - you've understood it correctly: I can have all accounts use SAML but this isn't best practice I don't think. At least one account should be able to have a regular password in case SAML fails but the admin should also be able to force all other accounts to have SAML. This gives best of both worlds.
Thanks
A
-
Thanks for confirming Alastair Bulloch! This isn't currently on our roadmap to support, but we will keep it in mind for future enhancements to SSO/SAML.
-
This is indeed similar to my feature request here: Restrict login authorization to SAML (SSO) except for a single super-user
Please sign in to leave a comment.
Comments
8 comments