Login Flow After SSO Activation
Once SSO is enabled, users no longer use their AdOpt email and password. The new login flow is:
1. Go to `dash.goadopt.io/sso/login`
2. Enter the identity provider name configured by the admin
3. Get redirected to the company's login page (Azure AD, JumpCloud, etc.)
4. After authentication, return automatically to AdOpt
The standard login screen is no longer available for SSO-enabled users.
⚠️ Important: Users who log in via SSO cannot log in to AdOpt using email and password.
User Creation and Access Rules
No manual invitation is required. Any user authenticated by the identity provider automatically gets access to AdOpt on their first login. The system creates the account on the fly and grants **Viewer** access to the organizations pre-configured in the provider setup.
Do Users Need to Exist in AdOpt Before Using SSO?
No. If the email doesn't exist in AdOpt yet, the account is created automatically on first SSO login.
What happens to Users with Existing Standard (email/password) Accounts?
They cannot log in via SSO with the same email. The system detects that the account exists without an SSO provider and blocks access with an error message asking the user to contact support.
⚠️ Important: Migrating an existing standard-login user to SSO requires a support request. This is not self-serve.
Role Assignment After SSO Activation
Every user who logs in via SSO for the first time is automatically assigned the Viewer role on the organizations configured in the identity provider.
Available roles in AdOpt:
Role | Description |
Owner | Account Owner |
Admin | Full management access |
DPO | Data protection officer |
Analyst | Access to reports and analytics |
Viewer | Read-only access |
SSO never auto-escalates roles. After the user's first login, an Admin or Owner must manually adjust their role inside AdOpt.
Permissions management (DPO, Admin, Viewer, etc.)
SSO handles authentication only (who can log in) — not authorization (what they can do). Role and permission management remains inside AdOpt, handled by Admins and Owners as usual.
Account owner, subscription and primary email
The SSO provider configuration is tied to the user who created it. New users who join via SSO get their own basic account (starter plan) and their own organization, plus Viewer access to the organizations defined in the provider setup.
ℹ️ Info: The Organization's ownership and subscription are not transferred to new SSO users.
DPO and Request Page responsible users
Not directly affected. The DPO role within an organization is assigned manually inside AdOpt. A new SSO user will not receive this role automatically — it must be assigned by an Admin or Owner after the user's first login.
Report and notification recipients
SSO activation does not modify existing notification configurations. Current recipients continue receiving notifications normally.
New SSO users are not added to any notification list automatically — they must be manually configured by an Admin.
Consent Log, Tag Scanner, Scheduled Scanner, Audit Log and other automated emails
No impact. These features have their own independent recipient and notification settings. SSO activation does not change any of this behavior.
Key limitations — What to Know Before Enabling SSO
Users with existing standard (email/password) accounts cannot migrate automatically to SSO — a support request is required
New SSO users always start as Viewer — role upgrades are manual
The organizations accessible via SSO are fixed at provider configuration time — changes require editing the provider settings
A user cannot be linked to more than one identity provider
