Enable and Disable Single Sign-On (SSO) for a Group

Single sign-on (SSO) is a popular solution to maintain security for Admins while providing ease-of-use to end users. SSO allows a user to log in once and access services without re-entering authentication factors.

Backblaze Support for SSO

Backblaze currently allows SSO for the following authentication domains:

• Google GSuite
• Microsoft Office 365
• Open ID (Enterprise Control only)

These providers can also allow SSO, accepting a credential from another trusted provider. Popular options include Okta and OneLogin. Therefore, an SSO credential that works with the providers above can also enable access to Backblaze.

As an example, GSuite can accept SSO credentials from third parties. A GSuite SSO domain accepts credentials from Okta or OneLogin. Although Backblaze does not accept Okta or OneLogin's credentials directly, Backblaze SSO does accept GSuite’s credentials. When a user signs in to Backblaze, Backblaze requests a credential from GSuite, and then GSuite (because it accepts Okta or OneLogin's credentials) sends the requested authorization. The user has an SSO from Okta or OneLogin indirectly.

Limitations

Be aware of the following limitations:

• Third-party authentication directly works with only the authentication domains listed above.
• All users in the SSO-enabled group must use SSO to sign on.
• All of the users in the group must have an email address from the same provider that works with SSO. For example, if a group uses GSuite, all of the users within the group must authenticate with GSuite (although multiple GSuite domains are acceptable).
• SSO should be turned on only if all existing users in the group have an account in the authentication domain. If an existing user has an email address that is unable to provide the correct credential, that user will be unable to sign in.
• After SSO is turned on, user emails that are not in the authentication domain cannot be added to the group because they would be unable to sign in.

Backblaze invites administrators to begin with a small test group to ensure that everything goes smoothly.

Enable SSO for a Group

1. Sign in to the Backblaze web console.
2. In the left navigation menu under Business Groups, click Group Management.
3. For the appropriate group, click Edit Group.
4. In the dialog, scroll to the Group Single Sign-On field and select a provider.
5. In the Domains text field, enter the provider’s domain(s) that the group should support and click Add Domain.
6. Click Update Group.

Enable OpenID SSO for a group with Enterprise Control

Disable SSO for a Group

1. Sign in to the Backblaze web console.
2. In the left navigation menu under Business Groups, click Group Management.
3. For the appropriate group, click Edit Group.
4. In the dialog, scroll to the Group Single Sign-On field and disable the SSO provider.
5. Click Update Group.

Members of the group are reverted to their previous credentials. Users who enabled two-factor authentication are returned to two-factor authentication. Members who were added after SSO was enabled may not have an account password, and must reset their password using the Forgot Password? link on the sign on screen before they can log in.

Change an Email Address in an SSO Group

1. Remove the email address from the group using one of the following options:
   • Sign in to your Backblaze administrator account, and remove the member from the group.
   • Ask the member to leave the group.
2. Ask the member to sign in to their Backblaze account and change their email address.
   1. In the user menu in the upper-right corner of the page, select My Settings.
   2. Click Change Email Address.
   3. Enter the current password, enter and confirm the new email address, and click Change Email.
3. Re-invite the user to the group using the new email address.