From aef07a97b0ef62c096e029c43405fdd36de4530f Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Wed, 18 Mar 2026 11:43:38 +0200 Subject: [PATCH 1/5] Add Cloud Pro SSO documentation --- platform-cloud/cloud-sidebar.json | 1 + .../docs/orgs-and-teams/organizations.md | 39 +++---- .../docs/orgs-and-teams/single-sign-on.md | 103 ++++++++++++++++++ 3 files changed, 124 insertions(+), 19 deletions(-) create mode 100644 platform-cloud/docs/orgs-and-teams/single-sign-on.md diff --git a/platform-cloud/cloud-sidebar.json b/platform-cloud/cloud-sidebar.json index 321202d01..eba617f43 100644 --- a/platform-cloud/cloud-sidebar.json +++ b/platform-cloud/cloud-sidebar.json @@ -153,6 +153,7 @@ "label": "Administration", "items": [ "orgs-and-teams/organizations", + "orgs-and-teams/single-sign-on", "orgs-and-teams/workspace-management", "orgs-and-teams/roles", "orgs-and-teams/custom-roles", diff --git a/platform-cloud/docs/orgs-and-teams/organizations.md b/platform-cloud/docs/orgs-and-teams/organizations.md index e65be14c2..55ca5d435 100644 --- a/platform-cloud/docs/orgs-and-teams/organizations.md +++ b/platform-cloud/docs/orgs-and-teams/organizations.md @@ -6,7 +6,7 @@ last updated: "2025-07-01" tags: [organizations, administration, workspaces, create-organization, organization-settings] --- -Organizations are the top-level structure and contain workspaces, members, and teams. Before you start using Platform, consider the projects, research areas, and resources you'd like to build out and who'll be using them so that you can scale up easily. +Organizations are the top-level structure and contain workspaces, members, and teams. Before you start using Platform, consider the projects, research areas, and resources you'd like to build out and who'll be using them so that you can scale up easily. You can create multiple organizations, each of which can contain multiple workspaces with shared users and resources. This means you can customize and organize the use of resources while maintaining an access control layer for users associated with a workspace. A workspace can be public (shared across the organization) or private (accessible only to the user who created it) @@ -27,21 +27,23 @@ When you create an organization, you become the organization owner. Organization 3. Enter any other optional fields as needed: **Description**, **Location**, **Website URL**, and **Logo**. 4. Select **Add**. -You can invite or add additional members to the workspace from the workspace **Settings** page. +You can invite or add additional members to the workspace from the workspace **Settings** page. -### Organization settings +### Organization settings Organization owners can view, edit, and delete organizations in the **Organization settings** screen. Select your organization from the drop-down menu, then select **Settings** in the sidebar. -#### Edit or delete an organization +Cloud Pro organizations can also configure and manage [single sign-on (SSO)](./single-sign-on) from the organization settings page. + +#### Edit or delete an organization Select **Edit** in the **Edit organization** row to update the organization name, full name, description, location, website URL, and logo. Select **Update** to save. -To delete your organization, select **Delete** in the **Delete organization** card. +To delete your organization, select **Delete** in the **Delete organization** card. ## Members -You can view the list of all **Members** from the organization's landing page. +You can view the list of all **Members** from the organization's landing page. Seqera provides access control for members of an organization by classifying them either as an **Owner** or a **Member**. Each organization can have multiple owners and members. @@ -85,34 +87,33 @@ New collaborators to an organization's workspace can be added as **Participants* **Collaborators** can only be added from a workspace. For more information, see [workspace management](./workspace-management#create-a-new-workspace). ::: -## Organization resource usage tracking +## Organization resource usage tracking Select **Usage overview** next to the organization and workspace selector dropdown to view a window with the following usage details: -- **Run history**: The total number of pipeline runs. +- **Run history**: The total number of pipeline runs. - **Concurrent runs**: Total simultaneous pipeline runs. - **Running Studio sessions**: Number of concurrent running Studio sessions. -- **Users**: Total users per organization. +- **Users**: Total users per organization. -Organization resource usage information is also displayed on the organization's **Settings** tab in the sidebar of the organization landing page. +Organization resource usage information is also displayed on the organization's **Settings** tab in the sidebar of the organization landing page. -Select **Contact us to upgrade** if you need to increase your Platform usage limits for your organization. +Select **Contact us to upgrade** if you need to increase your Platform usage limits for your organization. :::info -Usage limits differ per organization and [subscription type](https://seqera.io/pricing/). [Contact us](https://seqera.io/contact-us/) to discuss your needs. +Usage limits differ per organization and [subscription type](https://seqera.io/pricing/). [Contact us](https://seqera.io/contact-us/) to discuss your needs. ::: -### Credits +### Credits [Seqera Compute](../compute-envs/seqera-compute) environments consume credits when running pipelines or Studio sessions. Credits are consumed for CPU time, memory and storage usage, and network costs. One Seqera Compute credit is equivalent to $1 (USD), and resources are charged at the following rates: - CPU time: 1 CPU/Hr = 0.1 credits -- Memory: 1 GiB/Hr = 0.025 credits -- Storage: 1 GB = 0.025 credits per month +- Memory: 1 GiB/Hr = 0.025 credits +- Storage: 1 GB = 0.025 credits per month -:::note -Storage and network costs vary per region and are charged at standard AWS rates. Data ingress and egress across regions incur additional costs. +:::note +Storage and network costs vary per region and are charged at standard AWS rates. Data ingress and egress across regions incur additional costs. ::: -Your available credit balance depends on the credits purchased and limits applied to your Seqera license. The **Credits** view contains the current credit balance available to the organization, and the total credits spent in the organization's workspaces. Select **Contact us to upgrade** to request additional credits for your organization. - +Your available credit balance depends on the credits purchased and limits applied to your Seqera license. The **Credits** view contains the current credit balance available to the organization, and the total credits spent in the organization's workspaces. Select **Contact us to upgrade** to request additional credits for your organization. diff --git a/platform-cloud/docs/orgs-and-teams/single-sign-on.md b/platform-cloud/docs/orgs-and-teams/single-sign-on.md new file mode 100644 index 000000000..bf95baccb --- /dev/null +++ b/platform-cloud/docs/orgs-and-teams/single-sign-on.md @@ -0,0 +1,103 @@ +--- +title: "Single sign-on (SSO)" +description: "Configure single sign-on for a Seqera Platform Cloud organization." +date created: "2026-03-10" +last updated: "2026-03-10" +tags: [sso, authentication, organization-settings, cloud-pro] +--- + +Single sign-on (SSO) lets a Seqera Platform Cloud organization use its corporate identity provider (IdP) for authentication. After SSO is enabled, users with a matching email domain are routed to the organization's IdP when they sign in. + +SSO is available for **Cloud Pro** organizations and uses Auth0 self-service SSO to connect supported SAML and OpenID Connect (OIDC) identity providers. + +## Before you begin + +- SSO is available only for [Cloud Pro](https://seqera.io/pricing/) organizations. +- Only organization owners should configure or manage SSO. For more information, see [User roles](./roles). +- Your organization must claim an email domain that is not already claimed by another organization. +- All existing organization members should use email addresses on the domain you want to claim. If members use other domains, Seqera blocks setup until that mismatch is resolved. +- Domain ownership is verified during setup before the connection can be activated. + +:::caution +After SSO is enabled, users on the claimed domain authenticate through the configured IdP. If the IdP is unavailable, those users can't fall back to another login method. +::: + +## Organization settings states + +In **Organization settings**, the SSO experience depends on your subscription tier: + +- Cloud Pro organization owners see an option to configure SSO. +- Cloud Basic organization owners see an upgrade prompt stating that enterprise SSO is available on Cloud Pro, with a link to pricing information. + +## Configure SSO + +1. Open your organization, then select **Settings**. +2. Choose the option to configure SSO and enter the email domain your organization wants to claim. +3. Use the setup link generated by Seqera to open the Auth0 self-service SSO wizard. +4. In the wizard, select your identity provider and complete the provider-specific configuration. +5. Run the connection test in the Auth0 wizard to confirm that authentication works. +6. Complete domain ownership verification in the wizard. +7. Return to Seqera and select **Enable SSO** to activate the connection. + +Seqera validates the domain again when you enable the connection. If the domain configured in the wizard no longer matches the domain claimed in Seqera, activation fails and you must correct the mismatch before continuing. + +## Sign-in behavior + +When an organization has active SSO: + +- The Seqera login flow starts with an email-first step. +- Users whose email domain matches an active SSO connection are redirected to their corporate IdP. +- Users whose email domain does not match an SSO connection continue with the standard Seqera login options. +- Users who previously signed in with a social provider and have a matching SSO domain are redirected to the corporate IdP instead. + +## User provisioning and account linking + +When a user signs in through an active SSO connection for the first time: + +- New users are automatically added to the organization as members. +- Existing Seqera accounts with the same email are linked to the SSO identity instead of creating a duplicate user. +- Existing organization memberships, workspace roles, ownership, and run history are preserved. + +Newly provisioned users receive the lowest organization-level role by default. Organization owners can then promote those users or grant workspace-level access as needed. + +Organization owners can also review whether existing users have been linked to the organization's SSO identity from the organization membership view. + +## Manage an existing connection + +Organization owners can manage the SSO connection from **Organization settings**: + +- Suspend SSO enforcement without deleting the existing configuration. +- Re-activate a previously disabled connection. +- Open a management link for IdP-side changes, such as certificate rotation or provider configuration updates. +- Delete the connection and release the claimed domain. + +:::note +You can't change the claimed domain through the edit flow. To move SSO to a different domain, delete the existing connection and create a new one. +::: + +## Audit log coverage + +SSO activity is recorded in the audit log for compliance and troubleshooting. Audit coverage includes: + +- SSO configuration changes such as create, enable, disable, and delete +- User creation through SSO provisioning +- User sign-in events that include the authentication method +- Identity-linking updates for existing users + +## Troubleshooting + +**The setup link isn't generated** + +Check whether your organization already contains members with email addresses outside the domain you are trying to claim. + +**The claimed domain is rejected** + +The domain may already be claimed by another organization. In that case, contact Seqera support. + +**Users are not redirected to the corporate IdP** + +Confirm that SSO is enabled for the organization and that the user's email domain matches the claimed domain. + +**An existing user sees a linking problem during login** + +If Seqera can't link an existing account to the SSO identity, the user should contact an organization owner or Seqera support before trying again. From 72ace7e4a99473c25881daa6d51e60aa778de2ed Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Thu, 30 Apr 2026 13:06:05 +0200 Subject: [PATCH 2/5] docs: update Cloud Pro SSO docs --- platform-cloud/cloud-sidebar.json | 2 +- .../single-sign-on.md | 49 ++++++++++--------- .../docs/orgs-and-teams/organizations.md | 2 +- platform-cloud/docs/orgs-and-teams/roles.md | 4 ++ 4 files changed, 32 insertions(+), 25 deletions(-) rename platform-cloud/docs/{orgs-and-teams => getting-started}/single-sign-on.md (61%) diff --git a/platform-cloud/cloud-sidebar.json b/platform-cloud/cloud-sidebar.json index 98401ab8b..4236ff5d9 100644 --- a/platform-cloud/cloud-sidebar.json +++ b/platform-cloud/cloud-sidebar.json @@ -21,6 +21,7 @@ "items": [ "getting-started/deployment-options", "getting-started/workspace-setup", + "getting-started/single-sign-on", "getting-started/quickstart-demo/add-pipelines", "getting-started/quickstart-demo/add-data", "getting-started/quickstart-demo/launch-pipelines", @@ -176,7 +177,6 @@ "label": "Administration", "items": [ "orgs-and-teams/organizations", - "orgs-and-teams/single-sign-on", "orgs-and-teams/workspace-management", "orgs-and-teams/roles", "orgs-and-teams/custom-roles", diff --git a/platform-cloud/docs/orgs-and-teams/single-sign-on.md b/platform-cloud/docs/getting-started/single-sign-on.md similarity index 61% rename from platform-cloud/docs/orgs-and-teams/single-sign-on.md rename to platform-cloud/docs/getting-started/single-sign-on.md index bf95baccb..2381becff 100644 --- a/platform-cloud/docs/orgs-and-teams/single-sign-on.md +++ b/platform-cloud/docs/getting-started/single-sign-on.md @@ -2,7 +2,7 @@ title: "Single sign-on (SSO)" description: "Configure single sign-on for a Seqera Platform Cloud organization." date created: "2026-03-10" -last updated: "2026-03-10" +last updated: "2026-04-30" tags: [sso, authentication, organization-settings, cloud-pro] --- @@ -13,10 +13,10 @@ SSO is available for **Cloud Pro** organizations and uses Auth0 self-service SSO ## Before you begin - SSO is available only for [Cloud Pro](https://seqera.io/pricing/) organizations. -- Only organization owners should configure or manage SSO. For more information, see [User roles](./roles). -- Your organization must claim an email domain that is not already claimed by another organization. +- Only organization owners should configure or manage SSO. For more information, see [User roles](../orgs-and-teams/roles). +- Your organization must claim one email domain that is not already active for another organization. - All existing organization members should use email addresses on the domain you want to claim. If members use other domains, Seqera blocks setup until that mismatch is resolved. -- Domain ownership is verified during setup before the connection can be activated. +- Your organization must not have workspace collaborators. Remove collaborators or add them as organization members before you configure SSO. :::caution After SSO is enabled, users on the claimed domain authenticate through the configured IdP. If the IdP is unavailable, those users can't fall back to another login method. @@ -31,21 +31,22 @@ In **Organization settings**, the SSO experience depends on your subscription ti ## Configure SSO -1. Open your organization, then select **Settings**. -2. Choose the option to configure SSO and enter the email domain your organization wants to claim. -3. Use the setup link generated by Seqera to open the Auth0 self-service SSO wizard. -4. In the wizard, select your identity provider and complete the provider-specific configuration. -5. Run the connection test in the Auth0 wizard to confirm that authentication works. -6. Complete domain ownership verification in the wizard. -7. Return to Seqera and select **Enable SSO** to activate the connection. +1. Open your organization, then select **Settings**. +2. Choose the option to configure SSO and enter the email domain your organization wants to claim. +3. Use the setup link generated by Seqera to open the Auth0 self-service SSO wizard. +4. In the wizard, select your identity provider and complete the provider-specific configuration. +5. Run the connection test in the Auth0 wizard to confirm that authentication works. +6. Return to Seqera and select **Enable SSO** to activate the connection. -Seqera validates the domain again when you enable the connection. If the domain configured in the wizard no longer matches the domain claimed in Seqera, activation fails and you must correct the mismatch before continuing. +Seqera validates the configured Auth0 connection when you enable SSO. If the domain configured in Auth0 doesn't match the domain claimed in Seqera, activation fails. Correct the Auth0 configuration or delete the SSO configuration and create a new one with the correct domain. + +The setup link expires after five days. If the link expires before your IdP administrator completes setup, refresh the URL from the SSO settings page. ## Sign-in behavior When an organization has active SSO: -- The Seqera login flow starts with an email-first step. +- The sign-in flow starts with an email-first step. - Users whose email domain matches an active SSO connection are redirected to their corporate IdP. - Users whose email domain does not match an SSO connection continue with the standard Seqera login options. - Users who previously signed in with a social provider and have a matching SSO domain are redirected to the corporate IdP instead. @@ -60,15 +61,15 @@ When a user signs in through an active SSO connection for the first time: Newly provisioned users receive the lowest organization-level role by default. Organization owners can then promote those users or grant workspace-level access as needed. -Organization owners can also review whether existing users have been linked to the organization's SSO identity from the organization membership view. +SSO applies only to users with the claimed email domain. External users who need workspace access must be invited as organization members and authenticate through the configured IdP. Active SSO blocks new workspace collaborator assignments. ## Manage an existing connection Organization owners can manage the SSO connection from **Organization settings**: -- Suspend SSO enforcement without deleting the existing configuration. -- Re-activate a previously disabled connection. -- Open a management link for IdP-side changes, such as certificate rotation or provider configuration updates. +- Disable SSO enforcement without deleting the existing configuration. +- Re-enable a previously disabled connection if no other organization has activated the same domain. +- Generate a management link for IdP-side changes, such as certificate rotation or provider configuration updates. - Delete the connection and release the claimed domain. :::note @@ -80,24 +81,26 @@ You can't change the claimed domain through the edit flow. To move SSO to a diff SSO activity is recorded in the audit log for compliance and troubleshooting. Audit coverage includes: - SSO configuration changes such as create, enable, disable, and delete -- User creation through SSO provisioning -- User sign-in events that include the authentication method - Identity-linking updates for existing users ## Troubleshooting -**The setup link isn't generated** +### The setup link isn't generated Check whether your organization already contains members with email addresses outside the domain you are trying to claim. -**The claimed domain is rejected** +### Setup is blocked because the organization has collaborators + +Remove existing workspace collaborators or add them as organization members before you configure SSO. After SSO is active, external users must be organization members to access workspaces. + +### The claimed domain is rejected The domain may already be claimed by another organization. In that case, contact Seqera support. -**Users are not redirected to the corporate IdP** +### Users are not redirected to the corporate IdP Confirm that SSO is enabled for the organization and that the user's email domain matches the claimed domain. -**An existing user sees a linking problem during login** +### An existing user sees a linking problem during login If Seqera can't link an existing account to the SSO identity, the user should contact an organization owner or Seqera support before trying again. diff --git a/platform-cloud/docs/orgs-and-teams/organizations.md b/platform-cloud/docs/orgs-and-teams/organizations.md index 55ca5d435..beefb050b 100644 --- a/platform-cloud/docs/orgs-and-teams/organizations.md +++ b/platform-cloud/docs/orgs-and-teams/organizations.md @@ -33,7 +33,7 @@ You can invite or add additional members to the workspace from the workspace **S Organization owners can view, edit, and delete organizations in the **Organization settings** screen. Select your organization from the drop-down menu, then select **Settings** in the sidebar. -Cloud Pro organizations can also configure and manage [single sign-on (SSO)](./single-sign-on) from the organization settings page. +Cloud Pro organizations can also configure and manage [single sign-on (SSO)](../getting-started/single-sign-on) from the organization settings page. #### Edit or delete an organization diff --git a/platform-cloud/docs/orgs-and-teams/roles.md b/platform-cloud/docs/orgs-and-teams/roles.md index cf1ca6a1e..13fcc4d87 100644 --- a/platform-cloud/docs/orgs-and-teams/roles.md +++ b/platform-cloud/docs/orgs-and-teams/roles.md @@ -12,6 +12,10 @@ Organization owners can assign role-based access levels to individual **particip You can group **members** and **collaborators** into **teams** and apply a role to that team. Members and collaborators inherit the access role of the team. ::: +:::note +Cloud Pro organizations with active [single sign-on (SSO)](../getting-started/single-sign-on) can't add external workspace collaborators. External users who need workspace access must be invited as organization members and authenticate through the configured IdP. +::: + ### Organization user roles - **Owner**: After an organization is created, the user who created the organization is the default owner of that organization. Additional users can be assigned as organization owners. Owners have full read/write access to modify members, teams, collaborators, and settings within an organization. Organization owners always have full owner access to organization workspaces, regardless of their participant roles at the workspace level. From 302be126b34e761350f829c21a1c2b88f5b00af8 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Mon, 4 May 2026 14:25:05 +0200 Subject: [PATCH 3/5] docs: add Entra SSO setup guidance --- .../docs/getting-started/single-sign-on.md | 32 ++++++++++++++++--- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/platform-cloud/docs/getting-started/single-sign-on.md b/platform-cloud/docs/getting-started/single-sign-on.md index 2381becff..e6a81a59d 100644 --- a/platform-cloud/docs/getting-started/single-sign-on.md +++ b/platform-cloud/docs/getting-started/single-sign-on.md @@ -2,7 +2,7 @@ title: "Single sign-on (SSO)" description: "Configure single sign-on for a Seqera Platform Cloud organization." date created: "2026-03-10" -last updated: "2026-04-30" +last updated: "2026-05-04" tags: [sso, authentication, organization-settings, cloud-pro] --- @@ -17,6 +17,7 @@ SSO is available for **Cloud Pro** organizations and uses Auth0 self-service SSO - Your organization must claim one email domain that is not already active for another organization. - All existing organization members should use email addresses on the domain you want to claim. If members use other domains, Seqera blocks setup until that mismatch is resolved. - Your organization must not have workspace collaborators. Remove collaborators or add them as organization members before you configure SSO. +- You need permission to configure your organization's IdP. Some providers, such as Microsoft Entra ID, require an application client ID and client secret. :::caution After SSO is enabled, users on the claimed domain authenticate through the configured IdP. If the IdP is unavailable, those users can't fall back to another login method. @@ -33,15 +34,31 @@ In **Organization settings**, the SSO experience depends on your subscription ti 1. Open your organization, then select **Settings**. 2. Choose the option to configure SSO and enter the email domain your organization wants to claim. -3. Use the setup link generated by Seqera to open the Auth0 self-service SSO wizard. -4. In the wizard, select your identity provider and complete the provider-specific configuration. -5. Run the connection test in the Auth0 wizard to confirm that authentication works. -6. Return to Seqera and select **Enable SSO** to activate the connection. +3. Select **Generate setup URL**. +4. Open the setup URL to start the Auth0 self-service SSO wizard. +5. In the wizard, select your identity provider and complete the provider-specific configuration. +6. Run the connection test in the Auth0 wizard to confirm that authentication works. +7. Return to Seqera and select **Enable SSO** to activate the connection. Seqera validates the configured Auth0 connection when you enable SSO. If the domain configured in Auth0 doesn't match the domain claimed in Seqera, activation fails. Correct the Auth0 configuration or delete the SSO configuration and create a new one with the correct domain. The setup link expires after five days. If the link expires before your IdP administrator completes setup, refresh the URL from the SSO settings page. +## Configure Microsoft Entra ID + +Use the Auth0 self-service SSO wizard to connect Microsoft Entra ID to Seqera. Before you start, configure an Entra application for Seqera SSO and assign access to the users or groups that should be able to sign in. + +When you select Microsoft Entra ID in the Auth0 wizard, provide: + +- **Domain**: The email domain claimed in Seqera. +- **Client ID**: The application client ID from the Entra app registration. +- **Client secret**: A client secret for the Entra app. +- **Claims mapping**: The mapping between Entra user attributes and the user profile attributes returned to Seqera. + +After you enter the Entra configuration, run the test connection in Auth0. The test authenticates with Microsoft and confirms that Auth0 can receive the expected user profile. If your browser is already signed in to Microsoft as another user, the test may use that Microsoft session; this does not change the Seqera organization owner who is configuring SSO. + +Return to Seqera after the Auth0 test succeeds and enable SSO enforcement from the SSO settings page. + ## Sign-in behavior When an organization has active SSO: @@ -58,6 +75,7 @@ When a user signs in through an active SSO connection for the first time: - New users are automatically added to the organization as members. - Existing Seqera accounts with the same email are linked to the SSO identity instead of creating a duplicate user. - Existing organization memberships, workspace roles, ownership, and run history are preserved. +- Name and profile fields are populated from the IdP when those attributes are available. Newly provisioned users receive the lowest organization-level role by default. Organization owners can then promote those users or grant workspace-level access as needed. @@ -101,6 +119,10 @@ The domain may already be claimed by another organization. In that case, contact Confirm that SSO is enabled for the organization and that the user's email domain matches the claimed domain. +### A Microsoft Entra user can't complete sign in + +Confirm that the user has access to the Entra application configured for Seqera SSO and that the user's email domain matches the domain claimed in Seqera. + ### An existing user sees a linking problem during login If Seqera can't link an existing account to the SSO identity, the user should contact an organization owner or Seqera support before trying again. From 42f9064ab686161afdd101a3be7133546dd60ead Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Tue, 5 May 2026 10:56:16 +0200 Subject: [PATCH 4/5] docs: address SSO review feedback --- .../docs/getting-started/single-sign-on.md | 25 +++++++------------ 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/platform-cloud/docs/getting-started/single-sign-on.md b/platform-cloud/docs/getting-started/single-sign-on.md index e6a81a59d..87c043428 100644 --- a/platform-cloud/docs/getting-started/single-sign-on.md +++ b/platform-cloud/docs/getting-started/single-sign-on.md @@ -17,7 +17,7 @@ SSO is available for **Cloud Pro** organizations and uses Auth0 self-service SSO - Your organization must claim one email domain that is not already active for another organization. - All existing organization members should use email addresses on the domain you want to claim. If members use other domains, Seqera blocks setup until that mismatch is resolved. - Your organization must not have workspace collaborators. Remove collaborators or add them as organization members before you configure SSO. -- You need permission to configure your organization's IdP. Some providers, such as Microsoft Entra ID, require an application client ID and client secret. +- You need permission to configure your organization's IdP. Depending on the provider, you might need values such as a client ID, client secret, metadata URL, issuer URL, or signing certificate. :::caution After SSO is enabled, users on the claimed domain authenticate through the configured IdP. If the IdP is unavailable, those users can't fall back to another login method. @@ -44,20 +44,13 @@ Seqera validates the configured Auth0 connection when you enable SSO. If the dom The setup link expires after five days. If the link expires before your IdP administrator completes setup, refresh the URL from the SSO settings page. -## Configure Microsoft Entra ID +## Identity provider setup -Use the Auth0 self-service SSO wizard to connect Microsoft Entra ID to Seqera. Before you start, configure an Entra application for Seqera SSO and assign access to the users or groups that should be able to sign in. +The Auth0 self-service SSO wizard provides provider-specific instructions. Follow the wizard for the exact values and configuration steps required by your IdP. -When you select Microsoft Entra ID in the Auth0 wizard, provide: +For the current list of supported providers, see [Auth0 Self-Service Enterprise Configuration](https://auth0.com/docs/authenticate/enterprise-connections/self-service-enterprise-config). -- **Domain**: The email domain claimed in Seqera. -- **Client ID**: The application client ID from the Entra app registration. -- **Client secret**: A client secret for the Entra app. -- **Claims mapping**: The mapping between Entra user attributes and the user profile attributes returned to Seqera. - -After you enter the Entra configuration, run the test connection in Auth0. The test authenticates with Microsoft and confirms that Auth0 can receive the expected user profile. If your browser is already signed in to Microsoft as another user, the test may use that Microsoft session; this does not change the Seqera organization owner who is configuring SSO. - -Return to Seqera after the Auth0 test succeeds and enable SSO enforcement from the SSO settings page. +Configure user or group access in your IdP before you run the connection test in Auth0. ## Sign-in behavior @@ -72,9 +65,9 @@ When an organization has active SSO: When a user signs in through an active SSO connection for the first time: -- New users are automatically added to the organization as members. - Existing Seqera accounts with the same email are linked to the SSO identity instead of creating a duplicate user. -- Existing organization memberships, workspace roles, ownership, and run history are preserved. +- Users who first access Seqera after SSO is active are created through the SSO sign-in flow and automatically added to the organization as members. +- Existing organization memberships, workspace roles, ownership, and run history are preserved for linked accounts. - Name and profile fields are populated from the IdP when those attributes are available. Newly provisioned users receive the lowest organization-level role by default. Organization owners can then promote those users or grant workspace-level access as needed. @@ -119,9 +112,9 @@ The domain may already be claimed by another organization. In that case, contact Confirm that SSO is enabled for the organization and that the user's email domain matches the claimed domain. -### A Microsoft Entra user can't complete sign in +### An IdP user can't complete sign in -Confirm that the user has access to the Entra application configured for Seqera SSO and that the user's email domain matches the domain claimed in Seqera. +Confirm that the user has access to the application or connection configured in your IdP and that the user's email domain matches the domain claimed in Seqera. ### An existing user sees a linking problem during login From 2e3bac9c41966adc29b7e17e7ef2219e72f409b3 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Tue, 5 May 2026 17:11:27 +0200 Subject: [PATCH 5/5] docs: add SSO pre-flight cleanup guidance --- .../docs/getting-started/single-sign-on.md | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/platform-cloud/docs/getting-started/single-sign-on.md b/platform-cloud/docs/getting-started/single-sign-on.md index 87c043428..f4cb4dea5 100644 --- a/platform-cloud/docs/getting-started/single-sign-on.md +++ b/platform-cloud/docs/getting-started/single-sign-on.md @@ -2,7 +2,7 @@ title: "Single sign-on (SSO)" description: "Configure single sign-on for a Seqera Platform Cloud organization." date created: "2026-03-10" -last updated: "2026-05-04" +last updated: "2026-05-05" tags: [sso, authentication, organization-settings, cloud-pro] --- @@ -30,6 +30,18 @@ In **Organization settings**, the SSO experience depends on your subscription ti - Cloud Pro organization owners see an option to configure SSO. - Cloud Basic organization owners see an upgrade prompt stating that enterprise SSO is available on Cloud Pro, with a link to pricing information. +## Prepare users before setup + +Before you configure SSO, resolve any users who can't authenticate through the domain you want to claim: + +- Remove organization members whose email addresses don't use the claimed domain, or update their accounts to use email addresses on the claimed domain. +- Remove all workspace collaborators. If external users need continued access, add them to your IdP as guest or external accounts so they can sign in through SSO and be provisioned as organization members. +- If an existing collaborator already uses the claimed domain, add them as an organization member before you claim the domain. + +Seqera blocks domain claiming when the organization has members with email addresses outside the claimed domain or existing workspace collaborators. The setup flow lists the affected users so you can resolve them before trying again. + +Full claims-based provisioning for collaborator migration is planned for Q2 2026. Until then, external users must be added to the IdP and provisioned through the SSO sign-in flow. + ## Configure SSO 1. Open your organization, then select **Settings**. @@ -42,7 +54,7 @@ In **Organization settings**, the SSO experience depends on your subscription ti Seqera validates the configured Auth0 connection when you enable SSO. If the domain configured in Auth0 doesn't match the domain claimed in Seqera, activation fails. Correct the Auth0 configuration or delete the SSO configuration and create a new one with the correct domain. -The setup link expires after five days. If the link expires before your IdP administrator completes setup, refresh the URL from the SSO settings page. +The setup link expires after five days. After an IdP administrator opens the Auth0 access ticket, the ticket expires after five hours. If the wizard requires DNS verification for the claimed domain, verification can take up to 48 hours. If the ticket expires before verification or setup is complete, refresh the URL from the SSO settings page. ## Identity provider setup @@ -72,7 +84,7 @@ When a user signs in through an active SSO connection for the first time: Newly provisioned users receive the lowest organization-level role by default. Organization owners can then promote those users or grant workspace-level access as needed. -SSO applies only to users with the claimed email domain. External users who need workspace access must be invited as organization members and authenticate through the configured IdP. Active SSO blocks new workspace collaborator assignments. +SSO applies only to users with the claimed email domain. External users who need workspace access must be added to the organization's IdP as guest or external accounts, provisioned as organization members through SSO, and granted the appropriate workspace access. Active SSO blocks new workspace collaborator assignments. ## Manage an existing connection @@ -98,11 +110,11 @@ SSO activity is recorded in the audit log for compliance and troubleshooting. Au ### The setup link isn't generated -Check whether your organization already contains members with email addresses outside the domain you are trying to claim. +Check whether your organization already contains members with email addresses outside the domain you are trying to claim or existing workspace collaborators. ### Setup is blocked because the organization has collaborators -Remove existing workspace collaborators or add them as organization members before you configure SSO. After SSO is active, external users must be organization members to access workspaces. +Remove existing workspace collaborators before you configure SSO. If external users need continued access, add them to your IdP as guest or external accounts so they can sign in through SSO and be provisioned as organization members. ### The claimed domain is rejected