I currently log in with a username, not an email address. Can I use SSO?
Yes. SSO relies on the email address on your account to match your SSO profile email address. It does not rely on your username.
I share my login credentials or use a distributed or shared email address (e.g., billing@). Will SSO work?
SSO is engineered to bind one unique corporate identity (e.g., individual.user@company.com) to one user login for security purposes.
Shared credentials or distributed email addresses (which are not tied to an individual employee) may be incompatible with your Identity Provider setup and should continue to use the Username/Password login option. Check with your Identity Provider to see if this is allowed.
We do not recommend shared credentials for any accounts under any circumstance.
For further security, we recommend these accounts that use shared credentials utilize 2FA and IP Account Lock for additional layers of security or move away from shared email addresses by utilizing the sub-user feature.
What happens if our organization’s IdP goes down?
If the authentication policy is set to Require SSO = Yes, users will be unable to log in during the IdP outage because 101domain relies solely on your external IdP service for account access authorization.
If your IdP is enabled for your account and users, but Require SSO = No (is not enabled), then users can fall back to their legacy 101domain username and password. The Primary Account Owner can change this setting for themselves and any sub-user at any time.
It is recommended that the Primary Account Owner set Require SSO = Off for their own user and enable 2FA on their account as a permanent fallback.
If the Primary Account Owner requires urgent access to their account and it is set to Require SSO = Yes and their IdP is experiencing an outage, their only option is the Account Recovery process.
Does 101domain support automatic user provisioning (SCIM)?
No. We do not currently support SCIM (System for Cross-domain Identity Management).
While we use OIDC for authentication, the creation of sub-users and the assignment of roles (Admin, Tech, Finance) must be done manually by the Primary Account Owner within the 101domain Control Panel before the user can log in via SSO.
If I disable SSO, will my old password still work?
It depends. When Require SSO is turned On for a primary user account or a sub-user account, the password functionality no longer works and the existing password is removed.
If SSO is disconnected, or the Require SSO feature turned off, then the respective user must use the password reset process to log in with their existing username and a new password.
When Require SSO is not turned on but SSO is enabled on the account, the user can log in with either their username and password or SSO. If SSO is disconnected, the user may continue to use their existing username and password.
My users utilize 2FA to log in to their account. Is this still needed when they log in with SSO?
This depends. For log in, 2FA will no longer be necessary. However, for critical actions within your account, 2FA functionality will remain in place as an additional layer of security. Hold on to your 2FA app in case this comes up later.
Because SSO is directly tied to your organization’s IdP user authorization security and workflows, we defer to your IdP’s security protocols for account access. If the user is able to log in with either SSO or username/password, the username/password will continue to ask for your 2FA as it currently does.
If I disconnect the Primary Account Owner from SSO, does it automatically disconnect all my Sub-Users?
No. Disconnecting the Primary Account Owner or removing the SSO connection from the main account does not automatically disconnect Sub-Users.
To ensure security, the Primary Account Owner must manually clear the Single Sign-On Provider field and set Require SSO = Off for each individual Sub-User in the Manage Users area.
What happens to a user's access if they are removed from our company's Identity Provider (IdP)?
If you have the Require SSO = On for that user, their access is effectively terminated immediately.
Upon their next login attempt, 101domain will see that the user no longer exists or is suspended in your organization and the login will fail.
If the user is currently logged in, they will be logged out automatically when the system re-authenticates their session (every few minutes).
I have a Primary Account and a Sub-User account that use the exact same email address. Can these use SSO?
The system requires one email address to SSO profile email address match per Identity Provider.
If multiple Primary Accounts and/or Sub-User accounts attempt to connect and sign in with SSO, using the same email address, the system prioritizes the first account to enable and log in with SSO. The subsequent attempts by the different user accounts will receive an error message indicating that the email address is already connected to another account.
Can I use the same SSO profile (e.g., same Okta or Google identity) to access multiple different 101domain accounts?
No. For security, a single SSO profile can only be linked to one 101domain account.
If you attempt to connect an SSO profile that is already in use on another account, you will receive an error message stating the profile is already linked. You must use a different SSO profile identity for each distinct 101domain user account.
Why was I logged out of my account while working?
When you are logged into your 101domain account via SSO, the 101domain system re-validates your session with your Identity Provider regularly when you perform an action.
If your session has expired in your IdP, or if your administrator has disabled your access while you were working, you will be automatically logged out.
How do I disconnect all of my users on my account from my SSO Provider?
Disconnecting the Primary Account Owner or removing the SSO connection from the main account does not automatically disconnect Sub-Users.
To fully disconnect all users, the Primary Account Owner must manually navigate to Manage Users and clear the Single Sign-On Provider field and set Require SSO to Off for each individual Sub-User.
I am in the process of changing Identity Providers. How do I make the switch with my 101domain account users?
This is a multi-step process. Because the system allows only one Identity Provider (IdP) to be designated for all users on an account at a time, you must update the configuration at the Primary Account level.
The Primary Account Owner must navigate to the Configure Single Sign-On page, remove the existing connection for the account, and then go to each sub-user and clear the SSO Provider selected for each sub-user. If Require SSO was On for each user prior to clearing the SSO Provider, then each user will need to reset their passwords to access the account again.
For detailed steps to remove an existing IdP connection, visit our article Disconnecting Users and Account from the IdP and SSO.
The Primary User can then set up the new Identity Provider according to the specific IdP’s user guide. Ensure that all sub-users on the 101domain account have matching email addresses with the users at your new Identity Provider.
Visit our Supported Identity Providers (IdPs) article for guidance on each of our IdP’s (Google, Microsoft, Okta and OneLogin).
My Primary Account User has left the company, uses SSO to log in, and I need to access the account. How do I do this?
If a new Primary Account Owner requires urgent access to an account set to Require SSO and they cannot authenticate (e.g., they have been removed from the IdP or are otherwise inaccessible), your only option is to follow the Account Recovery process.
This process allows 101domain to verify your authority and help you regain administrative access.
Our company manages multiple 101domain client accounts, each with a different login but the same shared email address for consolidated communication. How can we enable SSO?
You cannot use the same SSO profile to access multiple different 101domain accounts. Single Sign-On is engineered to bind one unique corporate identity to exactly one 101domain account.
If you attempt to connect an email address that is already linked to another account, you will receive an error message that the profile is already in use.
There are two options that may work for you:
1. Check with your Identity Provider to see if they have a solution for shared accounts.
2. Instead of relying on the same email address in the user configuration, contact our support and we can add the same “CC” email address to each account so that a copy of emails from all of your accounts are sent to a single email address. This does not interfere with SSO.
I have multiple sub-user accounts with different usernames, but with the same email address so I receive all my emails to the same place. How can I use SSO?
You cannot enable SSO for all of them. The system requires a strict one-to-one match between an email address and a user account.
If multiple sub-user accounts attempt to use the same email address for SSO, the system will prioritize the first account that connects, and subsequent attempts by other users with the same email will fail with an error.
You must use unique email addresses for each sub-user to utilize SSO, or continue using username and password.
If you have any questions or experience any difficulties with managing your SSO Configuration, please contact our friendly Support Team at 877.983.6624 (United States) or +1.760.444.8674 (International).