Non-SSO Break Glass Account

We would like to be able to allow the “Account Owner” to login with a password and bypass SSO.

I notice on the logon screen, it does support the “Login with a password” function. But, regardless, it always redirects to our IDP. Alternatively, there could be a special logon URL which bypasses SSO. I’ve seen it done multiple ways.

The typical use case is so that the privileged “Account Owner” account is NOT tied to an actual individual in the organization. Individuals come and go, and SSO can break. Therefore, we usually want the superuser account to be a generic, unlicensed, break-glass account that does not require SSO and is protected by MFA.

To be clear, we do NOT want any other user to be able to login via a “backdoor” password and bypass SSO.

Page 1 / 1

We would also use this account as the default owner to transfer documents to when a user is deleted through whatever automation (scim?) process we use.

Would you worry about a situation where the super-user was fired from their job, and they were able to access/delete/copy/damage the files out of spite, because they didn’t need to access via SSO?

The OP states that the super user is NOT tied to an individual.

Having a break glass account to deal with any potential SSO issues is industry best practice, and needs to be implemented by Lucid.

@RSNSC – You’re right. I don’t know what I was drinking when I made that comment.

Adding support for the idea. I want to restrict standard users to authenticating via SSO only, but allow for the account owner to authenticate via password + 2FA. Our account owner is tied to a non-person entity.

Create an account in the community

Log in to the community

Scanning file for viruses.

This file cannot be downloaded