About This Feature
Single Sign-On (SSO) connects your organization's login system to Disco, letting everyone use their regular username and password to access Disco. You won't need to create or remember a separate Disco password, and your organization can manage everyone's access in one place, making it both easier and more secure.
Single Sign-On is currently available to Disco customers on an Enterprise plan. Please contact us if you are interested in using SSO for your community.
How It Works
Single Sign-On (SSO) is a way to use your organization's login information to access Disco. When your organization turns on SSO, everyone in the community – including Admins and Members – will log into Disco using their regular organization username and password. This means you won't need a separate Disco password, and you'll use the same login details that you already use for your organization's other services. SSO makes logging in simpler and more secure since you only need to manage one set of login details.
Recovery Codes
Recovery codes are an essential backup for ensuring continued access to your account if the SAML configuration is accidentally removed from the Identity Provider (IdP), disrupting the SSO connection. These codes are provided exclusively for Admin use and allow temporary access to the platform to re-configure the connection. When SSO is first enabled, 10 one-time-use recovery codes are generated, each granting a 24-hour session. It is important to securely store these codes and track which ones have been used, as they cannot be reused. Recovery codes are not intended for members and should remain accessible only to admins.
SSO Session Length
Session length is how long a user can stay logged into Disco before a they are required to log in again. When you set a session length (like 24 hours or 7 days), it helps keep your account secure by automatically logging Members out after that time period. A shorter session length means more frequent logins but better security, while a longer session length means fewer logins but slightly less security. Most organizations choose a session length that balances convenience with their security needs.
SSO JIT (Just In Time) Provisioning
Just-In-Time (JIT) provisioning gives you control over how users in your organization gain access to Disco through Single Sign-On (SSO). By default, JIT provisioning is enabled, meaning any user with a valid account in your Identity Provider (IdP) can log in to Disco and automatically have an account created. If you prefer to restrict access so that only users who are explicitly invited to Disco can log in (while still requiring a valid IdP account), you can disable the "Allow Just-in-Time Provisioning" option in the SSO connection settings. JIT provisioning can save time for Admins by enabling members to access Disco immediately after enabling SSO without requiring invites.
Support IdPs
An Identity Provider (IdP) is the system that stores and manages login information for your organization. When you use Single Sign-On (SSO), the IdP acts as a trusted middleman between you and Disco. Here's how it works: When you try to log in to Disco, instead of entering a Disco password, you're sent to your organization's IdP (like Microsoft Azure or Google Workspace). The IdP checks your login details and, if correct, tells Disco "Yes, this person is allowed in." This happens automatically in seconds, keeping your login process simple and secure. Here are our supported IdPs:
- SAML v2.0 IdPs are supported, and specific instructions are available for Microsoft Entra ID, the Miniorange Wordpress IdP plugin (requires a premium account), Okta, and Google Workspace.
- If a user is removed from the IdP, the user is not automatically removed from Disco, but they will not be able to log back in. Removal must be managed manually or via the API.
- No custom claims are used inside the SAML request to assign group memberships or give someone additional roles/privileges.
How SSO Interacts with other Features in Disco
- SSO and Invitations: When someone is invited to join Disco, they can only access the platform if their invitation email matches an email in your organization's Identity Provider (IdP).
- SSO and Public API: When adding users through the Public API, they'll be added to your community but can only log in if their email matches one in your organization's IdP.
- SSO and Zapier: Users added through Zapier will join your community, but they'll only be able to log in if their email matches one in your organization's IdP.
- SSO and User Profiles:
- If someone has already joined other Disco communities with their IdP email, they won't need SSO login for those communities
- Once a user connects to any SSO-enabled community, they can't change their email address
- If you remove someone from your community, their account stays active, but they lose access to your community
How To Enable the SSO connection in Disco
Navigate to the Admin tab of your Community and follow these steps:
- From the Admin area > Select “Integrations”.
- Scroll down to the Enterprise SSO (SAML) in the “Available” section > Click “Connect”.
- Select your identity provider from the dropdown list.
- Follow the on-screen instructions to enable SSO for the community.
- Once SSO has been enabled, please copy the recovery codes below and store them in a secure place - this is the only time they will be displayed.
FAQs
Q: When SSO is enabled for my community, will users stay logged in?
A: No. When SSO is enabled for the first time, all logged-in users (members, admins, instructors, etc.) will be logged out and required to log back in using SSO.
Q: When SSO is enabled for my community, can some members log in via email while others log in through our identity provider?
A: No. Once SSO is enabled, all members must log in through the IdP. If an existing member attempts to log in using their email address instead of SSO, they will not be able to access your Disco community.
Q: Can the length of time a user stays logged in before requiring re-authentication (aka session length) be configured?
A: Yes, you can configure session length. Go to Admin > Integrations > Locate SSO > Click … > Modify Connection > scroll to bottom of window > Select session length. Changing this setting will affect future sessions only. Users with an existing session will retain the old session length.
Q: I have lost my recovery codes, or all 10 provided have been used. What should I do?
A: Contact Disco Support and our team will assist you.
Q: I’m a current Disco customer and would like access to SSO. What is the recommended next step?
A: We’d love to talk with you! Please reach out via a support ticket and note that you’d like access to SSO. We'll be in touch to discuss the next steps!