Single Sign-on (SSO) ¶
Prefect Cloud's Organization and Enterprise plans offer single sign-on (SSO) integration with your team’s identity provider. SSO integration can bet set up with any identity provider that supports:
- SAML 2.0
When using SSO, Prefect Cloud won't store passwords for any accounts managed by your identity provider. Members of your Prefect Cloud organization will instead log in to the organization and authenticate using your identity provider.
Once your SSO integration has been set up, non-admins will be required to authenticate through the SSO provider when accessing organization resources.
See the Prefect Cloud plans to learn more about options for supporting more users and workspaces, service accounts, and SSO.
Within your organization, select the SSO page to enable SSO for users.
If you haven't enabled SSO for a domain yet, enter the email domains for which you want to configure SSO in Prefect Cloud. Select Save to accept the domains.
Under Enabled Domains, select the domains from the Domains list, then select Generate Link. This step creates a link you can use to configure SSO with your identity provider.
Using the provided link navigate to the Identity Provider Configuration dashboard and select your identity provider to continue configuration. If your provider isn't listed, you can continue with the
Open ID Connect choices instead.
Once you complete SSO configuration your users will be required to authenticate via your identity provider when accessing organization resources, giving you full control over application access.
Directory sync automatically provisions and de-provisions users for your organization.
Provisioned users are given basic “Member” roles and will have access to any resources that role entails.
When a user is unassigned from the Prefect Cloud application in your identity provider, they will automatically lose access to Prefect Cloud resources, allowing your IT team to control access to Prefect Cloud without ever signing into the app.