@lively-answer-93856

I have CI/CD GitHub user that was added to pulumi org. Now we would like to enable SSO for the org.

Enabling SSO for the organization changes the so-called “membership requirements” for all organization members. In order for a Pulumi user to have access to an organization’s resources, we perform two checks: 1. Is the Pulumi user account a member of the organization? 2. Does the Pulumi user meet the organization’s membership requirements? So for this CI/CD robot account, the answer is yes. You added them to your Pulumi organization. And I presume the robot account is also a member of the GitHub organization that is the “membership requirement” for your Pulumi org. So far so good. But when you switch the Pulumi organization to using SAML SSO, your existing organization members will lose access! When you change the organization’s membership requirements to using SAML SSO, then every existing organization member (*) will no longer have access to the Pulumi organization. Because they haven’t established a connection between the SAML SSO identity provider and their Pulumi account. So, just like if we couldn’t confirm a user was a member of the backing GitHub organization, we cannot confirm they have a valid SAML SSO login, and block their access. (*) An exception is made for the person who sets up and configures SAML SSO. So that they have access to the organization to configure SAML SSO and/or change settings if the SAML configuration is broken in some way. To regain their access, organization members need to log into Pulumi using their existing GitHub identities (like today). And then on the Profile page, click “Connect SSO”. That will lead them through the SAML SSO login flow, and connect the new SAML identity to their existing Pulumi account. ## Sounds bad? Can I switch to SAML SSO from GitHub without disruption? Yes, you can. There unfortunately isn’t a smooth way to do this in the Pulumi Service yet. But if you file a support ticket, we can work together so that you can switch to using SAML SSO without any of your existing organization members losing access.

I need to know if that CI/CD user will still be able to authenticate into Pulumi via existing access token. CI/CD user will not have to login via UI (for a while, it will get replaced by another user from SSO later on).

Like any other Pulumi user account, they won’t be able to access the Pulumi organization until they’ve “connected their SAML identity”. (i.e. meeting the organization’s membership requirements.) However, just like before, if you file a support ticket we can work with you to flip a few bits so that we exempt that CI/CD-only user from the regular SAML SSO checks. And once we’ve done that, the existing Pulumi access tokens for that user will still work as-is, even for the SAML-backed organization. This is definitely a known problem of sorts, and you aren’t the first person to need help to get this scenario working. (Sorry about that.) But the good news is that we are actively working on some security improvements that will help smooth out the experience here. So hopefully soon you can manage things like “CI/CD access tokens” for an organization without needing to create pseudo-user accounts. If you have any other questions please let me know!