Multi-Organization SAML Single Sign-On

This describes how to use SAML/SSO for multi-organization environments.

Prerequisites: You have the required permissions for all organizations that you want to manage in this configuration.

Automox supports multiple SAML configurations for all organization that you manage. Multi-organization SAML allows you to create a SAML configuration for each organization, providing specific access based on the organization and users.

Currently, multi-organization SAML only supports a one-to-one relationship with organization. Each organization will need its own configuration and its own SAML app.

Configuration

The process for configuring multi-organization SAML is the same as single-organization SAML. In any organization, follow Security to setup a SAML configuration.

Once configured, any user with an account in the organization with SAML enabled will be redirected to the IDP for login, unless they specify an organization at login.

Logging In

IDP-Initiated

IDP-initiated logins behave as expected. When a user clicks on a specific app in your IDP for an organization, they are redirected to that organization. After they log in, they can optionally navigate to another organization that they are part of if they use the Automox multi-organization drop-down menu.

SP-Initiated

SP-initiated logins behave in many different ways depending on how you want users to reach their specific organizations:

Generic Login:If a user visits console.automox.com and attempts to log in, Automox defaults to the SAML configuration of the lowest organization ID that the specific user has access to. If organization A for the user has SAML, the SAML configuration for organization A is used. If organization A has password login, and organization B has SAML enabled, organization B’s SAML configuration is used.

Define an Organization ID:Users can login directly to a specific organization if they specify an organization ID in the URL at login. If a user specifies organization A in their login URL, they will use organization A’s SAML configuration to login.

Specify an organization ID in the login URL as follows:

  • The organization ID for any given account can be found when logged into the console. The URL shows a parameter for “?o=XXXX,” where XXXX is the organization ID.
  • Copy and paste the same “?o=XXXX” parameter into the login URL (https://console.automox.com/login) to force login to that specific organization.
Automox recommends bookmarking specific login URLs so that users can navigate directly to specific accounts.

Inviting and Provisioning Users

Inviting Users

With Multi-organization SAML enabled, users can be invited to other organization through the regular user invite workflow. If SAML is enabled in the organization that you are inviting them to, they will need appropriate access to the SAML app in your IDP.

Provisioning

Provisioning users from the IDP is only supported on IDP-initiated login. To provision a user to a specific organization, enable provisioning when setting up the SAML configuration and give the user access to the appropriate app in your IDP. When they attempt login, an account will be created for them in the appropriate organization.