Roll out SSO to your team
Overview
The roll out follows a single sequence: set up your own SSO admin user, transition the rest of the team off their legacy accounts, and notify each affected user as their legacy account is removed.
Identify your situation
Your situation | Your steps |
|---|---|
Existing organisation — legacy users have no projects to preserve. | Set up SSO admin → Remove legacy accounts → Notify |
Existing organisation — legacy users own projects or are members of projects. | Set up SSO admin → Coordinate project transfers → Remove legacy accounts → Notify |
Prerequisites
SSO has been configured and activated for your company account. See SSO sign up request and How to configure your OIDC SSO.
You have admin access via your legacy (email + password) credentials.
Step 1 - Set up your own SSO admin user
The goal is to get your SSO-authenticated user with Admin privileges and remove your legacy account so you're operating purely from your SSO user.
Follow the procedure in Set up your SSO admin account to create your SSO user and promote it to Admin. If you own projects on your legacy account, transfer them to your SSO account using the Moving project ownership to SSO user guide, then delete your legacy account.
By the end of this step you'll be logged in as the SSO admin, with no legacy account of your own, ready to handle the rest of the team in Step 2.
Step 2 - Switch the rest of your team to SSO
At this point you're operating purely from your SSO admin account. This is the cutover from legacy to SSO accounts for everyone else in your organisation. The exact procedure depends on whether legacy users have any projects that need to be preserved first.
If a legacy user is the sole owner and only member of a project at the time you delete them, ownership transfers to you (the admin performing the deletion). You can pick those projects up afterwards and reassign them as needed.
If legacy users have no projects
Go to the Users menu and delete each legacy user account.
Inform colleagues that they should log in to hxdr.app via Single Sign-On using their company email. Their SSO account is created automatically on first login.
As users log in via SSO, assign their company account role from the Users menu and add them to projects as needed.
If legacy users own projects
Announce the migration to your organisation. Tell each user that SSO is being enabled and direct them to the Moving project ownership to SSO user guide.
Have each user log in to hxdr.app via SSO. This creates their SSO account automatically — no invitation needed.
Have each user transfer their projects. Following the Moving project ownership guide, they transfer memberships and ownership from their legacy to their SSO account, then confirm back to you when done.
Remove the legacy account from the Users menu once the user has confirmed their transfer and you've verified their SSO account has access to all expected projects.
Step 3 — Notify each affected user
After removing a user's legacy account, send a notification to that user. The message must inform them that:
Their legacy login (email + password) is no longer valid.
They must log in via Single Sign-On at hxdr.app using their company credentials going forward.
Send the notification per user, immediately after each account removal, so the affected user can regain access without delay.