This article is aimed at a technical audience, and is likely to require the assistance of a system administrator for your Azure (or similar) set up to assist.

It is possible to make the use of single sign-on (SSO) mandatory at a team level. This is only true of SAML2 access, not access using Google accounts.

Team administrators can ask us to enable the whole team for mandatory SSO which means:

  • New platform users will find their invitations will only offer the option to sign up an account using their existing corporate SSO identity, not creating a new email/password combination

  • Existing users with Click-specific email address/password combinations will no longer be able to use these to sign in, and will instead be asked to link their accounts to SSO if they have not done so in the past

Why might we want to mandate SSO use?

Two good reasons why you may wish to choose to mandate SSO use to access Click Travel are:

1) If two factor authentication is enabled on your SSO account, you now effectively have that extra layer of security guaranteed when accessing Click Travel

2) Any inactive/disabled user SSO accounts will not be able to be used to access the Click Travel platform, so you get automatic disabling of leavers' accounts if your SSO directory is up to date with this information

How does a customer mandate SSO for their teams?

Enabling mandatory SSO is a quick process, but requires our engineers to make a few changes and is therefore not self service. Speak to your Account Manager if you would like this to be enabled. It can also be removed to allow non-SSO accounts again using the same process.

What is the user experience?

A new user signing up to an SSO mandating team will be guided through the sign up process in their invitation email as usual. The second video on this Help Centre page shows what the sign up flow looks like.

An existing email/password user whose team now mandates SSO use will be asked to link their account to their SSO identity. The second half (from 00:43) of the first video on this Help Centre page shows that flow.

A user account with access to more than one team will still be able to access other, non-SSO mandating teams when signing in with a Click email/password combination, but not the SSO-mandating team. For users with only one team, where that team mandates SSO usage, sign in using Click email/password will not be allowed as they wouldn't be able to access any valid teams using that sign in method

Did this answer your question?