Multi-Organization SAML Single Sign-On

This describes how to use SAMLClosed The standard for exchanging authentication data between an identity provider and Automox./SSOClosed Login via corporate identity provider. For example, Okta or Entra. for multi-organization environments.

Prerequisites: You have the required permissionsClosed Actions associated with a default or custom roles. for all organizationsClosed A subset of an account. An Automox customer account can be tied to multiple organizations, and users can be invited to, and access multiple organizations. An organization contains users, devices, and policies. that you want to manage in this configuration.

Automox supports multiple SAML configurations for all organization that you manage. Multi-organization SAML allows you to create a SAML configuration for each organization, providing specific access based on the organization and users.

Currently, multi-organization SAML only supports a one-to-one relationship with organization. Each organization needs its own configuration and its own SAML app.

Configuration

The process for configuring multi-organization SAML is the same as single-organization SAML. In any organization, follow Security to setup a SAML configuration.

Once configured, any user with an account in the organization with SAML enabled is redirected to the IDP for login, unless they specify an organization at login.

Logging In

IDP-Initiated

IDP-initiated logins behave as expected. When a user clicks on a specific app in your IDP for an organization, they are redirected to that organization. After they log in, they can optionally navigate to another organization that they are part of if they use the Automox multi-organization drop-down menu.

SP-Initiated

SP-initiated logins behave in many different ways depending on how you want users to reach their specific organizations:

Generic Login:If a user visits console.automox.com and attempts to log in, Automox defaults to the SAML configuration of the lowest organization ID that the specific user has access to. If organization A for the user has SAML, the SAML configuration for organization A is used. If organization A has password login, and organization B has SAML enabled, organization B’s SAML configuration is used.

Define an Organization ID:Users can login directly to a specific organization if they specify an organization ID in the URL at login. If a user specifies organization A in their login URL, they will use organization A’s SAML configuration to login.

Specify an organization ID in the login URL as follows:

  • You can find the organization ID for any given account when logged into the console. The URL shows a parameter for “?o=XXXX,” where XXXX is the organization ID.
  • Copy and paste the same “?o=XXXX” parameter into the login URL (https://console.automox.com/login) to force login to that specific organization.
Automox recommends bookmarking specific login URLs so that users can navigate directly to specific accounts.

Inviting and Provisioning Users

Inviting Users

With Multi-organization SAML enabled, you can invite users to other organizations through the regular user invite workflow. If SAML is enabled in the organization that you are inviting them to, they will need appropriate access to the SAML app in your IDP.

Provisioning

Provisioning users from the IDP is only supported on IDP-initiated login. To provision a user to a specific organization, enable provisioning when setting up the SAML configuration and give the user access to the appropriate app in your IDP. When they attempt login, an account will be created for them in the appropriate organization.