Skip to content
User Guides
Security
SSO Authentication

SSO Authentication

This page documents how Single Sign-On (SSO) authentication works in Fides, including configuration options and behavioral rules.

Overview

When an SSO provider is configured in Fides, the system enforces SSO login for users, preventing the use of username/password authentication except in specifically configured cases. This provides stronger security and centralized authentication management.

For detailed instructions on how to configure SSO providers in Fides, see the OAuth and OIDC configuration guide.

Configuration

The security setting FIDES__SECURITY__ALLOW_USERNAME_PASSWORD_LOGIN controls whether username/password authentication is allowed alongside SSO:

fides.toml
[security]
allow_username_password_login = "false"

When set to false users cannot log in with username/password when an SSO provider is configured. If your system needs to support both authentication methods simultaneously, set allow_username_password_login = "true" in your configuration.

Authentication Logic

The authentication system follows these rules:

  • If no SSO provider is configured, username/password login is always allowed
  • If SSO is configured and allow_username_password_login is false:
    • All users must use SSO
  • If SSO is configured and allow_username_password_login is true (default):
    • The root user can log in with username/password
    • Users with password login enabled can log in with username/password
    • Other users must use SSO

User-Level Control

If FIDES__SECURITY__ALLOW_USERNAME_PASSWORD_LOGIN is set to true, administrators can enable password login for individual users through a toggle in the user creation page. This allows specific users to authenticate with username and password even when SSO is the main authentication method.

For security purposes, this setting cannot be changed after user creation. An administrator can enable password login for a user by deleting their account and re-inviting them.

Toggle switch for allowing password login

User Invitation Behavior

User invitation emails are automatically skipped for users configured to use SSO authentication. This prevents confusion when a user is expected to authenticate via SSO but receives an email invitation to set a password.

Role-based access controlViewing and editing the taxonomy