This describes how to use SAML/SSO for multi-organization environments.
Automox supports multiple SAML configurations for all organizations that you manage. Multi-org SAML allows you to create a SAML configuration for each organization, providing specific access based on the org and users.
Currently, multi-org SAML only supports a one to one relationship with orgs. Each org will need its own configuration and its own SAML app.
The process for configuring Multi-Org SAML is the same as Single-Org SAML. In any organization, follow Single-Org SAML configuration steps to setup a SAML configuration.
Once configured, any user with an account in the org with SAML enabled will be redirected to the IDP for login, unless they specify an organization at login.
IDP-initiated logins behave as expected. When a user clicks on a specific app in your IDP for an org, they are redirected to that org. Once logged in, they can optionally navigate to another org that they are part of if they use the Automox multi-org drop-down menu.
SP-initiated logins behave in many different ways depending on how you want users to reach their specific orgs:
Generic Login: If users visit console.automox.com and attempt login, Automox will default to the SAML configuration of the lowest org ID that the specific user has access to. If org A for the user has SAML, the SAML configuration for org A will be used. If org A has password login, and org B has SAML enabled, org B’s SAML configuration will be used.
Define an Org ID: Users can login directly to a specific org if they specify an org ID in the URL at login. If a user specifies org A in their login URL, they will use org A’s SAML configuration to login.
Specifying an org ID in the login URL is easy. The org ID for any given account can be found when logged into the console. The URL shows a parameter for “?o=XXXX,” where XXXX is the org ID. Copy and paste the same “?o=XXXX” parameter into the login URL (https://console.automox.com/login) to force login to that specific org.
Automox recommends bookmarking specific login URLs so that users can navigate directly to specific accounts.
Inviting and Provisioning Users
With Multi-Org SAML enabled, users can be invited to other orgs through the regular user invite workflow. If SAML is enabled in org that you are inviting them to, they will need appropriate access to the SAML app in your IDP.
Provisioning users from the IDP is only supported on IDP-initiated login. To provision a user to a specific org, enable provisioning when setting up the SAML configuration and give the user access to the appropriate app in your IDP. When they attempt login, an account will be created for them in the appropriate org.