SSO-Only Authentication Enforcement
SSO-Only Authentication Enforcement lets workspace admins restrict how members sign in to Theneo. When enabled, the standard email and password login fields are disabled, members must authenticate exclusively through your configured SSO provider. This ensures your organization's identity and access policies are consistently enforced across the workspace.
SSO-Only Enforcement applies to all workspace members. Make sure your SSO integration is fully configured and tested before enabling this toggle.
Prerequisites
Before enabling SSO-Only enforcement, confirm the following:
SSO Integration Configured
Your workspace has an active SSO connection set up. At least one SSO provider (e.g. Okta, Google, Azure AD) must be enabled.
Admin Role Required
Only workspace admins can toggle SSO-Only enforcement. Ensure you have the appropriate permissions before proceeding.
Members Notified
Inform your team before enabling this setting. Members who attempt to use email and password after the toggle is turned on will be redirected to SSO login.
Enabling SSO-Only Authentication
1
Open Workspace Settings
Open Admin panel → workspace settings
4
Enable the SSO-Only toggle
Enforce SSO-Only Authentication
This change takes effect immediately. Email and password fields will be disabled for all workspace members as soon as you confirm.
5
Verify the enforcement is active
SSO-Only mode is enforced
Member Experience After Enforcement
When SSO-Only Authentication is enabled, the login experience changes for all workspace members - if a member attempts to enter their email and password, the fields will not accept input and a message will appear explaining that SSO is required for this workspace. They will be guided to use the SSO login option. Members who do not yet have an account linked via SSO should contact their admin to ensure their identity provider account is properly set up.
Disabling SSO-Only Authentication
To revert to allowing both email/password and SSO login, follow the same steps and toggle Enforce SSO-Only Authentication off. Email and password login will be re-enabled for all members immediately.
Disabling this setting does not affect your SSO configuration - members can continue to use SSO login alongside email and password after enforcement is turned off.
Frequently Asked Questions
What happens to members who only use email and password?
What happens to members who only use email and password?
They will lose the ability to sign in via email and password as soon as SSO-Only mode is enabled. Admins should ensure all members have valid accounts with the configured SSO provider before turning on enforcement.
Can I exclude specific members from SSO enforcement?
Can I exclude specific members from SSO enforcement?
No - SSO-Only enforcement applies to all members of the workspace uniformly. There is currently no per-member override. If you need mixed authentication modes, consider keeping enforcement disabled.
What if our SSO provider goes down?
What if our SSO provider goes down?
If your SSO provider is unavailable and SSO-Only is enforced, members will be unable to log in until the provider is restored. Workspace admins should plan for SSO downtime contingencies with their identity provider team.
What made this section helpful for you?
What made this section unhelpful for you?
On this page
- SSO-Only Authentication Enforcement