Org configuration rules

​

Allowed Auth Methods

• If allowed_auth_methods is empty
  • then auth_methods cannot be set to RESTRICTED.
• If allowed_auth_methods is not empty
  • and auth_methods is set to RESTRICTED, then all members looking to authenticate will be required to use one of these auth methods.
• If allowed_auth_methods is updated
  • then the entire list will be overwritten by the new values.
  • then all currently active Members will remain active even if their auth methods no longer comply with allowed_auth_methods. However, the member will not be able to authenticate with the disallowed methods.
  • and auth_methods is set to RESTRICTED, then auth_methods cannot be set to an empty array.

​

Allowed MFA Methods

• If allowed_mfa_methods is empty
  • then mfa_methods cannot be set to RESTRICTED.
• If allowed_mfa_methods is not empty
  • and mfa_methods is set to RESTRICTED, then all members looking to authenticate with MFA will be required to use one of these MFA methods.
• If allowed_mfa_methods is updated
  • then the entire list will be overwritten by the new values.
  • then all currently active Members will remain active even if their MFA methods no longer comply with allowed_mfa_methods. However, the member will not be able to MFA authenticate with the disallowed methods.
  • and mfa_methods is set to RESTRICTED, then mfa_methods cannot be set to an empty array.

​

Email Magic Links

• If email_allowed_domains is empty
  • then email_invites cannot be set to RESTRICTED.
  • then email_jit_provisioning cannot be set to RESTRICTED.
• If email_allowed_domains is not empty
  • and email_invites is set to RESTRICTED, then all new Members must have an email address that complies with email_allowed_domains in order to be invited by email.
  • and email_invites is set to ALL_ALLOWED, then any new Member can be invited to email.
  • and email_invites is set to NOT_ALLOWED, then email invites are disabled.
• If email_allowed_domains is not empty
  • and email_jit_provisioning is set to RESTRICTED, then all new Members must have an email address that complies with email_allowed_domains in order to be provisioned via Email Magic Links.
  • and email_jit_provisioning is set to ALL_ALLOWED, then any new Member can be provisioned via Email Magic Links.
  • and email_jit_provisioning is set to NOT_ALLOWED, then JIT provisioning via Email Magic Links is disabled.
• If email_allowed_domains is updated
  • then the entire list will be overwritten by the new value.
  • then all Members will remain active even if their email_address no longer complies with email_allowed_domains.
  • and either email_invites or email_jit_provisioning is set to RESTRICTED, then email_allowed_domains cannot be set to an empty array.

​

Single Sign On

• If sso_jit_provisioning_allowed_connections is empty
  • then sso_jit_provisioning cannot be set to RESTRICTED.
• If sso_jit_provisioning_allowed_connections is not empty
  • and sso_jit_provisioning is set to RESTRICTED, then all new Members must have an SSO login that complies with sso_jit_provisioning_allowed_connections in order to be provisioned via SSO.
  • and sso_jit_provisioning is set to ALL_ALLOWED, then all new Members will be automatically provisioned via any of the Organization’s sso_active_connections.
  • and sso_jit_provisioning is set to NOT_ALLOWED, then JIT provisioning via SSO is disabled.
• If sso_jit_provisioning_allowed_connections is updated
  • then the entire list will be overwritten by the new value.
  • then all currently active Members will remain active even if their sso_registrations no longer complies with sso_jit_provisioning_allowed_connections.
  • and sso_jit_provisioning is set to RESTRICTED, then sso_jit_provisioning_allowed_connections cannot be set to an empty array.