Sign-in policy

SSO-only mode forces everyone in your organization to sign in through your IdP and turns off Viewer's username + password sign-in entirely. When SSO-only is on:

• Password sign-in is rejected — users are directed to your IdP.
• Password change and reset are disabled (there is no password to manage).
• All access flows through your IdP, so your IdP's MFA, conditional access, and offboarding become the single control point for Viewer access.

Guardrails — Viewer will not let you lock yourself out

Two preconditions before you can enable SSO-only:

1. At least one SSO connection is enabled — there must be a working way in before the password way is closed.
2. You have recently signed in via SSO — Viewer requires a successful federated sign-in within a short window first, so you've just proven the IdP path works for you.

And while SSO-only is on, you cannot disable or delete the only enabled SSO connection — add or enable a second connection first, or turn SSO-only off, before removing the last one.

How to enable

1. Sign in as an administrator through your IdP (this satisfies the recent-SSO-sign-in precondition).
2. Go to Admin → Identity & Provisioning (/dashboard/admin/identity).
3. In the Sign-in policy card, turn on SSO-only and confirm.
4. Verify by signing out and confirming the password form is no longer accepted and the IdP path works.

To re-enable username + password sign-in, toggle SSO-only off in the same card — password sign-in is restored immediately.

If you get locked out

If your IdP goes down or an administrator is locked out while SSO-only is on, CHA staff can open a short, time-boxed, audited window that temporarily re-enables password sign-in. This is a staff-only control, not self-serve — see Troubleshooting → Getting help.