After enabling SAML, I can still log in with password. Is this only because I’m admin?

Hello @millions-train-91139. I received your message via MJ internally. After setting up SAML SSO integration, did you also change the Membership Requirements to use SAML here:

<https://app.pulumi.com/><your-org>/settings/access-management

Yes

enabling saml sso does not disable other sign in methods, i think we have a feature issue in service-requests for this though, let me take a look

What I did: 1. Enable SAML integration through Google Workspace 2. Log in with SAML 3. Get a message that my users are not connected 4. Go to Account Administration and Link my user-password to my SAML provider for my org 5. Login with SAML successfully 6. Tried to log in with password - worked a. I thought this was due to the fact that you allow Admins only to have an alternative manner, of logging in, but usually it is more explicit b. In Datadog they don’t safeguard you - so I had to manually select to allow password authentication on myself c. On GitHub they give you login codes for disaster recovery d. So I was still optimistic 7. Then I added other users to SAML, they went through the similar process 8. And still were able to login using github or password 9. I said okay, maybe you also verify somehow with the SAML provider - far fetched by I was optimistic 10. I moved some of the users out of the Engineering OU 11. And still they were able to login! even without being in the correct SAML OU From customer experience perspective, implementing SAML and marketing this an Enterprise Plan but not implementing the basic feature that is the reason for people being interested in SAML for the first place is VERY misleading - we could have used Github SSO before that, so we actually got nothing from the current SAML feature My team is pretty small, so we were fine with Team edition, but we moved to Enterprise just for the SAML SSO feature since we are under high security scrutiny (Working on our SOC2 in our first year since founding) - so not “too glad” However taking things into perspective, I’m sure that you will implement the correct SSO/SAML security guarantees in the near future (I hope - that issue is open for more than a year and only +2 on the votes!) - however I’m not too keen on paying for something with not much value. The impact on my business that if someone in my Org will set up a “email-password” authentication - they will be able to login even after leaving the company if we don’t pay attention to the Pulumi roles of our engineering teams. Thanks, Sam

haha noticed that too, heh

Thanks for the quick response - In Pulumi I Trust

I will definitely bring your write up to the right people on the team. This is valuable feedback.