Skip to main content

Single sign-on (SSO)

Single sign-on (SSO) lets a Seqera Platform Cloud organization use its corporate identity provider (IdP) for authentication. After SSO is enabled, users with a matching email domain are routed to the organization's IdP when they sign in.

SSO is available for Cloud Pro organizations and uses Auth0 self-service SSO to connect supported SAML and OpenID Connect (OIDC) identity providers.

Before you begin

  • SSO is available only for Cloud Pro organizations.
  • Only organization owners should configure or manage SSO. For more information, see User roles.
  • Your organization must claim an email domain that is not already claimed by another organization.
  • All existing organization members should use email addresses on the domain you want to claim. If members use other domains, Seqera blocks setup until that mismatch is resolved.
  • Domain ownership is verified during setup before the connection can be activated.
caution

After SSO is enabled, users on the claimed domain authenticate through the configured IdP. If the IdP is unavailable, those users can't fall back to another login method.

Organization settings states

In Organization settings, the SSO experience depends on your subscription tier:

  • Cloud Pro organization owners see an option to configure SSO.
  • Cloud Basic organization owners see an upgrade prompt stating that enterprise SSO is available on Cloud Pro, with a link to pricing information.

Configure SSO

  1. Open your organization, then select Settings.
  2. Choose the option to configure SSO and enter the email domain your organization wants to claim.
  3. Use the setup link generated by Seqera to open the Auth0 self-service SSO wizard.
  4. In the wizard, select your identity provider and complete the provider-specific configuration.
  5. Run the connection test in the Auth0 wizard to confirm that authentication works.
  6. Complete domain ownership verification in the wizard.
  7. Return to Seqera and select Enable SSO to activate the connection.

Seqera validates the domain again when you enable the connection. If the domain configured in the wizard no longer matches the domain claimed in Seqera, activation fails and you must correct the mismatch before continuing.

Sign-in behavior

When an organization has active SSO:

  • The Seqera login flow starts with an email-first step.
  • Users whose email domain matches an active SSO connection are redirected to their corporate IdP.
  • Users whose email domain does not match an SSO connection continue with the standard Seqera login options.
  • Users who previously signed in with a social provider and have a matching SSO domain are redirected to the corporate IdP instead.

User provisioning and account linking

When a user signs in through an active SSO connection for the first time:

  • New users are automatically added to the organization as members.
  • Existing Seqera accounts with the same email are linked to the SSO identity instead of creating a duplicate user.
  • Existing organization memberships, workspace roles, ownership, and run history are preserved.

Newly provisioned users receive the lowest organization-level role by default. Organization owners can then promote those users or grant workspace-level access as needed.

Organization owners can also review whether existing users have been linked to the organization's SSO identity from the organization membership view.

Manage an existing connection

Organization owners can manage the SSO connection from Organization settings:

  • Suspend SSO enforcement without deleting the existing configuration.
  • Re-activate a previously disabled connection.
  • Open a management link for IdP-side changes, such as certificate rotation or provider configuration updates.
  • Delete the connection and release the claimed domain.
note

You can't change the claimed domain through the edit flow. To move SSO to a different domain, delete the existing connection and create a new one.

Audit log coverage

SSO activity is recorded in the audit log for compliance and troubleshooting. Audit coverage includes:

  • SSO configuration changes such as create, enable, disable, and delete
  • User creation through SSO provisioning
  • User sign-in events that include the authentication method
  • Identity-linking updates for existing users

Troubleshooting

The setup link isn't generated

Check whether your organization already contains members with email addresses outside the domain you are trying to claim.

The claimed domain is rejected

The domain may already be claimed by another organization. In that case, contact Seqera support.

Users are not redirected to the corporate IdP

Confirm that SSO is enabled for the organization and that the user's email domain matches the claimed domain.

An existing user sees a linking problem during login

If Seqera can't link an existing account to the SSO identity, the user should contact an organization owner or Seqera support before trying again.

On this Page