Provide a way to limit SSO paths for an Org

[MitchellGerdisch]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Conditions:

• Using Pulumi Service (SaaS)
• Organization, Acme, has SAML SSO enabled (e.g. Okta)
• Sam has been granted access to the Acme organization.
• Sam can login to the Acme organization using the given SAML SSO
• Sam also has a personal account that is accessed using, say, Github.
• Sam's Github and Okta user identities are the same.

Problem:
Sam can login to Pulumi using Github and then access the Acme organization. Thus bypassing the Okta SAML SSO path.

Request:
Enforce the Pulumi organization's SSO method when accessing the org.

Affected area/feature

SAML/SSO

[simon-brantonhousley-caribou]

I would not consider this a feature, but a security requirement. If an org is using SSO, then they want to be able to manage a user's access to an application.
By allowing a user to also log in using username/password, GitHub, etc, completely bypassed the org's security requirements.

[EvanBoyle]

Pulumi Cloud now issues SAML challenges when you select a saml-backed org from within the console. Closing this issue out as fixed.