Skip to main content

SSO After Activation: User Access, Roles and Account Management

Written by AdOpt Support

Login Flow After SSO Activation

Once SSO is enabled, users no longer use their AdOpt email and password. The new login flow is:

1. Go to `dash.goadopt.io/sso/login`

2. Enter the identity provider name configured by the admin

3. Get redirected to the company's login page (Azure AD, JumpCloud, etc.)

4. After authentication, return automatically to AdOpt

The standard login screen is no longer available for SSO-enabled users.

⚠️ Important: Users who log in via SSO cannot log in to AdOpt using email and password.


User Creation and Access Rules

No manual invitation is required. Any user authenticated by the identity provider automatically gets access to AdOpt on their first login. The system creates the account on the fly and grants **Viewer** access to the organizations pre-configured in the provider setup.


Do Users Need to Exist in AdOpt Before Using SSO?

No. If the email doesn't exist in AdOpt yet, the account is created automatically on first SSO login.


What happens to Users with Existing Standard (email/password) Accounts?

They cannot log in via SSO with the same email. The system detects that the account exists without an SSO provider and blocks access with an error message asking the user to contact support.

⚠️ Important: Migrating an existing standard-login user to SSO requires a support request. This is not self-serve.


Role Assignment After SSO Activation

Every user who logs in via SSO for the first time is automatically assigned the Viewer role on the organizations configured in the identity provider.

Available roles in AdOpt:

Role

Description

Owner

Account Owner
Full access to billing information

Admin

Full management access

DPO

Data protection officer
Responsible for Privacy Portal and Requests Page (DSAR)

Analyst

Access to reports and analytics

Viewer

Read-only access

SSO never auto-escalates roles. After the user's first login, an Admin or Owner must manually adjust their role inside AdOpt.


Permissions management (DPO, Admin, Viewer, etc.)

SSO handles authentication only (who can log in) — not authorization (what they can do). Role and permission management remains inside AdOpt, handled by Admins and Owners as usual.


Account owner, subscription and primary email

The SSO provider configuration is tied to the user who created it. New users who join via SSO get their own basic account (starter plan) and their own organization, plus Viewer access to the organizations defined in the provider setup.

ℹ️ Info: The Organization's ownership and subscription are not transferred to new SSO users.


DPO and Request Page responsible users

Not directly affected. The DPO role within an organization is assigned manually inside AdOpt. A new SSO user will not receive this role automatically — it must be assigned by an Admin or Owner after the user's first login.


Report and notification recipients

SSO activation does not modify existing notification configurations. Current recipients continue receiving notifications normally.

New SSO users are not added to any notification list automatically — they must be manually configured by an Admin.


Consent Log, Tag Scanner, Scheduled Scanner, Audit Log and other automated emails

No impact. These features have their own independent recipient and notification settings. SSO activation does not change any of this behavior.


Key limitations — What to Know Before Enabling SSO

  • Users with existing standard (email/password) accounts cannot migrate automatically to SSO — a support request is required

  • New SSO users always start as Viewer — role upgrades are manual

  • The organizations accessible via SSO are fixed at provider configuration time — changes require editing the provider settings

  • A user cannot be linked to more than one identity provider

Did this answer your question?