From 00ddf69ba32f4fbff7811daf314ba7056129830f Mon Sep 17 00:00:00 2001 From: sheltongraves <148902861+sheltongraves@users.noreply.github.com> Date: Mon, 30 Mar 2026 13:23:49 -0400 Subject: [PATCH] Update index.md Added section on Strict SSO --- src/content/docs/aws/enterprise/sso/index.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/content/docs/aws/enterprise/sso/index.md b/src/content/docs/aws/enterprise/sso/index.md index e616c97e..4999df97 100644 --- a/src/content/docs/aws/enterprise/sso/index.md +++ b/src/content/docs/aws/enterprise/sso/index.md @@ -218,6 +218,23 @@ After configuring the base details for your Identity Provider (IdP), the followi ![Callback URL, Sign Up Portal URL, and Identifier (Entity Id)](/images/aws/additional-information-page.png) +## Strict SSO Mode + +Strict SSO Mode is an optional security enhancement that requires all members of your organization to authenticate exclusively through the configured Identity Provider (IdP). Once enabled, standard username/password login is disabled for your organization and the configured IdP becomes the only permitted way to sign in. + +This provides two key security benefits: + +- **Leaked credential protection**: Even if a user's LocalStack password is compromised, attackers cannot log in without going through your IdP. +- **Revocation enforcement**: When an employee's account is removed or suspended in your IdP, they immediately lose access to LocalStack. + +### Enabling Strict SSO Mode + +To enable strict mode, open the identity provider configuration in your LocalStack Web Application profile settings under **Single Sign-on**, and toggle the **Enable Strict SSO Mode** checkbox in the identity provider settings. + +:::caution +Before enabling strict mode, ensure all team members have linked their accounts to the configured Identity Provider. Once strict mode is active, any user who has not completed SSO setup will be unable to sign in via password. +::: + ## User Roles and Permissions For each new member that joins your org, you can specify user roles and permissions that should be assigned to them. @@ -227,4 +244,4 @@ For each new member that joins your org, you can specify user roles and permissi - Tip: In order to enable self-serve licences (i.e., allowing your users to allocate themselves their own license), make sure to select the **Allow member to issue a license for themselves (or a legacy API key)** permission. -![User Roles and Permissions](/images/aws/roles-permissions.png) \ No newline at end of file +![User Roles and Permissions](/images/aws/roles-permissions.png)