Skip to main content

Single Sign-On

Learn how to enable Single Sign-On for your organization.

Important Single Sign-On Information

  • Multi-org support: SSO users part of multiple organizations can log into each organization.
  • Single Sign-On users with username and password: Users that have been configured directly in Coalesce will be able to login with a username/password even if SSO has been enabled so long as their Coalesce-native user record remains active. If you do not wish to allow username/password-based authentication, you will need to disable or delete the users.
  • Provisioned SSO users: Single Sign-On (SSO) provisioned users are created just in time, when the user initiates their initial login to Coalesce via you SSO provider. Users are not pre-provisioned prior to initial login.
  • Multiple records for the same person: While email is used as the unique username for a user within Coalesce, a single email may end up with multiple active user records, each with a unique User ID, within a given Coalesce account. This occurs when a user has been set up directly within Coalesce, as well as provisioned using your single sign-on (SSO) provider. Review Manage Users to see instructions on disabling or deleting extra users.
  • SSO users will need a new token for each new environment created.

Removing SSO

Once SSO has been enabled for an account, there isn't a way to remove SSO. You can change the configuration. Keep in mind, this can have unintended consequences such as locking users out of the account.

Access Tokens and SSO
  • Access tokens function independently of SSO. Disabling a user in your SSO platform such as Okta, does not remove the access token. You'll need to also remove the user directly in Coalesce to remove any tokens attached to that user.
  • Access tokens are regenerated after each login. Previously issued tokens remain valid. Tokens never expire across all environments and projects. Tokens are revoked when:

Access tokens are removed when:

  • User is deleted in Coalesce.
  • User is disabled in Coalesce.
  • Password changed in Coalesce.
  • Email address change in Coalesce.
  • SSO users will need a new token for each new environment created.
  • Turning Multi-factor Authentication on and off.