Add Cloud Pro SSO documentation

platform-cloud/cloud-sidebar.json

@@ -153,6 +153,7 @@
         "label": "Administration",
         "items": [
           "orgs-and-teams/organizations",
+          "orgs-and-teams/single-sign-on",
           "orgs-and-teams/workspace-management",
           "orgs-and-teams/roles",
           "orgs-and-teams/custom-roles",

platform-cloud/docs/orgs-and-teams/organizations.md

@@ -6,7 +6,7 @@ last updated: "2025-07-01"
 tags: [organizations, administration, workspaces, create-organization, organization-settings]
 ---
 
-Organizations are the top-level structure and contain workspaces, members, and teams. Before you start using Platform, consider the projects, research areas, and resources you'd like to build out and who'll be using them so that you can scale up easily. 
+Organizations are the top-level structure and contain workspaces, members, and teams. Before you start using Platform, consider the projects, research areas, and resources you'd like to build out and who'll be using them so that you can scale up easily.
 
 You can create multiple organizations, each of which can contain multiple workspaces with shared users and resources. This means you can customize and organize the use of resources while maintaining an access control layer for users associated with a workspace. A workspace can be public (shared across the organization) or private (accessible only to the user who created it)
 
@@ -27,21 +27,23 @@ When you create an organization, you become the organization owner. Organization
 3. Enter any other optional fields as needed: **Description**, **Location**, **Website URL**, and **Logo**.
 4. Select **Add**.
 
-You can invite or add additional members to the workspace from the workspace **Settings** page. 
+You can invite or add additional members to the workspace from the workspace **Settings** page.
 
-### Organization settings 
+### Organization settings
 
 Organization owners can view, edit, and delete organizations in the **Organization settings** screen. Select your organization from the drop-down menu, then select **Settings** in the sidebar.
 
-#### Edit or delete an organization 
+Cloud Pro organizations can also configure and manage [single sign-on (SSO)](./single-sign-on) from the organization settings page.
+
+#### Edit or delete an organization
 
 Select **Edit** in the **Edit organization** row to update the organization name, full name, description, location, website URL, and logo. Select **Update** to save.
 
-To delete your organization, select **Delete** in the **Delete organization** card. 
+To delete your organization, select **Delete** in the **Delete organization** card.
 
 ## Members
 
-You can view the list of all **Members** from the organization's landing page. 
+You can view the list of all **Members** from the organization's landing page.
 
 Seqera provides access control for members of an organization by classifying them either as an **Owner** or a **Member**. Each organization can have multiple owners and members.
 
@@ -85,34 +87,33 @@ New collaborators to an organization's workspace can be added as **Participants*
 **Collaborators** can only be added from a workspace. For more information, see [workspace management](./workspace-management#create-a-new-workspace).
 :::
 
-## Organization resource usage tracking 
+## Organization resource usage tracking
 
 Select **Usage overview** next to the organization and workspace selector dropdown to view a window with the following usage details:
 
-- **Run history**: The total number of pipeline runs. 
+- **Run history**: The total number of pipeline runs.
 - **Concurrent runs**: Total simultaneous pipeline runs.
 - **Running Studio sessions**: Number of concurrent running Studio sessions.
-- **Users**: Total users per organization. 
+- **Users**: Total users per organization.
 
-Organization resource usage information is also displayed on the organization's **Settings** tab in the sidebar of the organization landing page. 
+Organization resource usage information is also displayed on the organization's **Settings** tab in the sidebar of the organization landing page.
 
-Select **Contact us to upgrade** if you need to increase your Platform usage limits for your organization. 
+Select **Contact us to upgrade** if you need to increase your Platform usage limits for your organization.
 
 :::info
-Usage limits differ per organization and [subscription type](https://seqera.io/pricing/). [Contact us](https://seqera.io/contact-us/) to discuss your needs. 
+Usage limits differ per organization and [subscription type](https://seqera.io/pricing/). [Contact us](https://seqera.io/contact-us/) to discuss your needs.
 :::
 
-### Credits 
+### Credits
 
 [Seqera Compute](../compute-envs/seqera-compute) environments consume credits when running pipelines or Studio sessions. Credits are consumed for CPU time, memory and storage usage, and network costs. One Seqera Compute credit is equivalent to $1 (USD), and resources are charged at the following rates:
 
 - CPU time: 1 CPU/Hr = 0.1 credits
-- Memory: 1 GiB/Hr = 0.025 credits 
-- Storage: 1 GB = 0.025 credits per month 
+- Memory: 1 GiB/Hr = 0.025 credits
+- Storage: 1 GB = 0.025 credits per month
 
-:::note 
-Storage and network costs vary per region and are charged at standard AWS rates. Data ingress and egress across regions incur additional costs. 
+:::note
+Storage and network costs vary per region and are charged at standard AWS rates. Data ingress and egress across regions incur additional costs.
 :::
 
-Your available credit balance depends on the credits purchased and limits applied to your Seqera license. The **Credits** view contains the current credit balance available to the organization, and the total credits spent in the organization's workspaces. Select **Contact us to upgrade** to request additional credits for your organization. 
-
+Your available credit balance depends on the credits purchased and limits applied to your Seqera license. The **Credits** view contains the current credit balance available to the organization, and the total credits spent in the organization's workspaces. Select **Contact us to upgrade** to request additional credits for your organization.

platform-cloud/docs/orgs-and-teams/single-sign-on.md

@@ -0,0 +1,103 @@
+---
+title: "Single sign-on (SSO)"
+description: "Configure single sign-on for a Seqera Platform Cloud organization."
+date created: "2026-03-10"
+last updated: "2026-03-10"
+tags: [sso, authentication, organization-settings, cloud-pro]
+---
+
+Single sign-on (SSO) lets a Seqera Platform Cloud organization use its corporate identity provider (IdP) for authentication. After SSO is enabled, users with a matching email domain are routed to the organization's IdP when they sign in.
+
+SSO is available for **Cloud Pro** organizations and uses Auth0 self-service SSO to connect supported SAML and OpenID Connect (OIDC) identity providers.
+
+## Before you begin
+
+- SSO is available only for [Cloud Pro](https://seqera.io/pricing/) organizations.
+- Only organization owners should configure or manage SSO. For more information, see [User roles](./roles).
+- Your organization must claim an email domain that is not already claimed by another organization.
+- All existing organization members should use email addresses on the domain you want to claim. If members use other domains, Seqera blocks setup until that mismatch is resolved.
+- Domain ownership is verified during setup before the connection can be activated.
+
+:::caution
+After SSO is enabled, users on the claimed domain authenticate through the configured IdP. If the IdP is unavailable, those users can't fall back to another login method.
+:::
+
+## Organization settings states
+
+In **Organization settings**, the SSO experience depends on your subscription tier:
+
+- Cloud Pro organization owners see an option to configure SSO.
+- Cloud Basic organization owners see an upgrade prompt stating that enterprise SSO is available on Cloud Pro, with a link to pricing information.
+
+## Configure SSO
+
+1. Open your organization, then select **Settings**.
+2. Choose the option to configure SSO and enter the email domain your organization wants to claim.
+3. Use the setup link generated by Seqera to open the Auth0 self-service SSO wizard.
+4. In the wizard, select your identity provider and complete the provider-specific configuration.
+5. Run the connection test in the Auth0 wizard to confirm that authentication works.
+6. Complete domain ownership verification in the wizard.
+7. Return to Seqera and select **Enable SSO** to activate the connection.
+
+Seqera validates the domain again when you enable the connection. If the domain configured in the wizard no longer matches the domain claimed in Seqera, activation fails and you must correct the mismatch before continuing.
+
+## Sign-in behavior
+
+When an organization has active SSO:
+
+- The Seqera login flow starts with an email-first step.
+- Users whose email domain matches an active SSO connection are redirected to their corporate IdP.
+- Users whose email domain does not match an SSO connection continue with the standard Seqera login options.
+- Users who previously signed in with a social provider and have a matching SSO domain are redirected to the corporate IdP instead.
+
+## User provisioning and account linking
+
+When a user signs in through an active SSO connection for the first time:
+
+- New users are automatically added to the organization as members.
+- Existing Seqera accounts with the same email are linked to the SSO identity instead of creating a duplicate user.
+- Existing organization memberships, workspace roles, ownership, and run history are preserved.
+
+Newly provisioned users receive the lowest organization-level role by default. Organization owners can then promote those users or grant workspace-level access as needed.
+
+Organization owners can also review whether existing users have been linked to the organization's SSO identity from the organization membership view.
+
+## Manage an existing connection
+
+Organization owners can manage the SSO connection from **Organization settings**:
+
+- Suspend SSO enforcement without deleting the existing configuration.
+- Re-activate a previously disabled connection.
+- Open a management link for IdP-side changes, such as certificate rotation or provider configuration updates.
+- Delete the connection and release the claimed domain.
+
+:::note
+You can't change the claimed domain through the edit flow. To move SSO to a different domain, delete the existing connection and create a new one.
+:::
+
+## Audit log coverage
+
+SSO activity is recorded in the audit log for compliance and troubleshooting. Audit coverage includes:
+
+- SSO configuration changes such as create, enable, disable, and delete
+- User creation through SSO provisioning
+- User sign-in events that include the authentication method
+- Identity-linking updates for existing users
+
+## Troubleshooting
+
+**The setup link isn't generated**
+
+Check whether your organization already contains members with email addresses outside the domain you are trying to claim.
+
+**The claimed domain is rejected**
+
+The domain may already be claimed by another organization. In that case, contact Seqera support.
+
+**Users are not redirected to the corporate IdP**
+
+Confirm that SSO is enabled for the organization and that the user's email domain matches the claimed domain.
+
+**An existing user sees a linking problem during login**
+
+If Seqera can't link an existing account to the SSO identity, the user should contact an organization owner or Seqera support before trying again.