Enforce SSO in Your Organization
By default, after Single Sign-on (SSO) is configured for an organization, members can still choose to log in with email/password or third-party accounts (Google, GitHub). SSO enforcement removes this flexibility by mandating that all members use SSO as the only login method.
This feature is designed for organizations that need to meet enterprise security and compliance requirements, such as centralized authentication, audit controls, and identity governance through an identity provider (IdP).
Overview
When SSO enforcement is enabled for an organization:
-
Members who attempt to log in with email/password or third-party accounts (Google, GitHub) are blocked and prompted to log in via SSO instead.
-
If a user belongs to multiple organizations and any of those organizations has SSO enforcement enabled, the user must log in via SSO. This applies regardless of which organization the user intends to access.
-
Organization Owners are automatically exempt and can still log in with other methods. See Exemption rules for details.
-
All active sessions for non-exempt members are immediately invalidated. Affected members are logged out and must re-authenticate via SSO.
-
Direct organization member invitations are disabled. You should provision users through your IdP. Project-level invitations are limited to existing organization members only.
-
If your organization has MFA enabled on Zilliz Cloud, it will be automatically disabled when SSO enforcement is turned on. If MFA is required, configure it within your IdP instead.
Before you start
Before enabling SSO enforcement, ensure the following:
-
You are an Organization Owner in the Zilliz Cloud organization.
-
An SSO connection has been configured and validated for your organization. For setup instructions, refer to the configuration guide for your IdP (e.g., Okta (OIDC)).
-
All intended members have been assigned to the SSO application in your IdP and can successfully log in via SSO.
Enable SSO enforcement
Log in to the Zilliz Cloud console and go to the organization for which you want to enable SSO enforcement.
In the left-side navigation pane, click Settings.
On the Settings page, find the Single Sign-On (SSO) section. Ensure SSO is already configured and enabled.
Locate the Enforce SSO Login toggle and turn it on.
Click Confirm. This will log out all members currently using passwords and disable direct member invitations.
Once enabled, all organization members (except Organization Owners) must log in via SSO. Attempts to log in with email/password or third-party accounts (Google, GitHub) will be blocked.
Disable SSO enforcement
In the Zilliz Cloud console, navigate to Settings and find the Single Sign-On (SSO) section.
Turn off the Enforce SSO Login toggle.
Click to confirm.
After SSO enforcement is disabled, members can log in with their original passwords.
Exemption rules
Organization Owners are automatically exempt from SSO enforcement. This serves as a break-glass mechanism to ensure that at least one administrator can always access the organization, even if the IdP is misconfigured or unavailable.
The exemption logic follows these rules:
-
A user who is an Organization Owner in every SSO-enforced organization they belong to is exempt and can log in with any method.
-
A user who is an Organization Owner in some SSO-enforced organizations but a regular member in any other SSO-enforced organization is not exempt and must log in via SSO.
The following table illustrates the exemption behavior for users across multiple organizations:
User | Org A (SSO enforced) | Org B (SSO enforced) | Org C (no enforcement) | Exempt? |
|---|---|---|---|---|
User X | Org Owner | Org Owner | Any role | Yes |
User Y1 | Org Owner | Org Member | Org Owner | No |
User Y2 | Org Owner | Org Member | Org Member | No |
User Y3 | Org Member | Org Member | Org Owner | No |
User Z | Org Member | Org Member | Org Member | No |
In summary, a user is only exempt if they hold the Organization Owner role in all organizations that have SSO enforcement enabled. Being an Organization Owner in a non-enforced organization does not grant exemption.