Single Sign-On
Overview
You may configure your account to use one or more Single Sign-On (SSO) Identity Providers (IdPs). Once enabled, users can use the IdP to log into your ngrok dashboard. You may also configure enforcement settings to require that users must use SSO to log into your ngrok account.
Once you have configured SSO, you may also enable SCIM to automate user provisioning of your ngrok account.
Set up SSO on the Account Settings page of your ngrok dashboard.
Supported Providers
ngrok supports identity providers which support either SAML or OpenID Connect for SSO including Okta and Microsoft AzureAD.
Enforcement
Your account sets an SSO Enforcement policy which controls whether users are required to log in with SSO.
Mixed Mode: In mixed mode, users who existed on your account before you set up SSO may continue using their existing credentials to log in. All new users will be required to use SSO.
SSO Enforced: In SSO enforced mode, all users must use your SSO IdP to log in and their existing credentials will no longer allow them to log into your account.
Keep in mind that after you add an IdP, your account is still in Mixed Mode and users can continue to log in with their previous credentials. Once you are confident that your SSO integration is configured correctly, you can switch to SSO Enforced mode. This helps you avoid inadvertently locking yourself or your users out of the account.
IdP-Initiated Login
ngrok supports IdP-initiated login flows for SAML IdPs. An IdP-initiated login flow is one in which users can log into your ngrok account by clicking on a link in your IdP's dashboard.
You may enable IdP-initiated login on a per-IdP basis. The OpenID Connect protocol does not support IdP-Initiated login so it is not supported for IdPs you connect that way.
User Provisioning
When using SSO, you may configure how users are provisioned and deprovisioned from your ngrok account. You may configure your account to provision users in one of three modes:
- Explicitly invited by an existing member of your account
- Just-in-time (JiT) provisioned after they successfully log in with SSO
- Managed via your IdP's SCIM integration.
It is recommended that you choose either JiT or SCIM. See User Provisioning for more details.