Require multi-factor authentication, set up Single Sign-On, and provision dashboard accounts from your identity provider.
The authentication settings page controls how your team signs in to the WorkOS dashboard. From here you can verify your email domain, require all members to sign in through your identity provider, automatically provision and deprovision accounts, and enforce multi-factor authentication (MFA).
Only members with the Admin role can view or change authentication settings.
Before you can set up Single Sign-On or directory provisioning for your team, you must verify ownership of your email domain. The domain you verify must match the email domain of your dashboard account – for example, an admin signed in as alice@example.com must verify example.com.
The Domains section walks you through verification by adding a DNS record. Once the domain is verified, the Single Sign-On and directory provisioning sections become available.
The Single Sign-On section lets you require all team members to authenticate to the WorkOS dashboard via your identity provider, using the same SSO technology WorkOS provides to your applications.
Setting up SSO for your team requires:
The setup flow opens a guided configuration experience where you connect your identity provider. Once the connection is active, team members sign in through your identity provider instead of using email-based authentication.
Multi-factor authentication enforcement is handled by your identity provider when your team authenticates through SSO, so the dashboard’s MFA requirement is not available while SSO is active.
The Directory provisioning section lets you automatically provision and deprovision dashboard accounts by syncing with your identity provider, using Directory Sync. Role assignments are also synced from your identity provider groups, so members’ dashboard roles are controlled centrally.
Two distinct WorkOS features are named “directory provisioning.” The feature on this page provisions members of your own WorkOS dashboard team from your identity provider, and you can set it up yourself. AuthKit Directory Provisioning provisions your application’s users and organization memberships from your customers’ directories, and is enabled by WorkOS support on request. When contacting support, specify which one you mean.
Directory provisioning requires:
When setting up directory provisioning, make sure at least one user is in a group mapped to the Admin role. Otherwise your team can lose admin access to its own workspace.
Once directory provisioning is active, synced members are managed by the directory:
The Additional security section lets admins require MFA for the whole team.
When the requirement is enabled, all team members must use multi-factor authentication to sign in. Anyone who hasn’t enrolled yet is prompted to enroll at their next sign-in.
Before you can enable the requirement, you must first enroll in MFA on your own account from your profile settings. The requirement is also unavailable when your team authenticates through SSO, since your identity provider enforces MFA in that case.
Disabling the requirement stops prompting new members to enroll, but members who already enrolled still complete MFA at sign-in unless an admin resets their factor.