In order for SSO to work properly, there are some design assumptions that you need to understand.
- There needs to be a one-to-one relationship between a user's account and their identity provider. i.e. firstname.lastname@example.org cannot use both Okta AND Google as their IdP for SSO. If your company has employees that need to use more than 1 SSO identity provider to access different sites in Recurly, those employees will need to have separate accounts in Recurly ... one for each identity provider.
- The user ID in Recurly must match the user ID in your identity provider. Recurly uses email address as the user ID, so the email address that Okta has for the user must be the same as the email address for the Recurly user. If the two do not match, you can update the user email in Recurly and then enable SSO for the user.
- You configure SSO at the site-level in Recurly. So if a user is associated with 2 sites, and both require the user to use SSO, the first site to require SSO will "win" and be the site whose SSO configurations define which IdP / SSO the user will be required to use.
- SSO controls the authentication to Recurly App, it does not govern which sites the user gets access to once they are logged in. So if a user is using SSO and is associated with multiple sites in Recurly, once they are logged in, they will see / be able to navigate to all of their sites.
- When user is using SSO, they no longer get access to Recurly's 2-factor authentication service.
- Recurly currently offers support for Okta's single sign-on product. If you're interested in SSO but use a different identity provider, please please contact Support and let us know which identity provider you want to use.