Unlock seamless workflows and faster delivery with our latest releases – get the details

Enterprise SSO

Introducing automatic granting of project access and roles to SSO users based on declarative rules.

Published

  • Jesus De Oliveira

    Jesus De Oliveira

    Principal Product Manager, Content Lake and Enterprise Experience

Enterprise SSO: Project & Identity Mapping

Powering content management and operations for the enterprise means supporting the needs of editors and developers, while enabling them to seamlessly work, collaborate and leverage content effectively. It also means ensuring it is possible to scale these workflows to different lines of business, teams and employees, while remaining compliant and avoiding compromising security but at the same time not introducing friction for users.

As Sanity is used in more areas and lines of business in your organization, new teams start new projects, but employees across the organization may still require access. Creating accounts and assigning roles one by one becomes cumbersome, error-prone, and ultimately introduces friction that slows down users and projects. More importantly, ensuring these users have and keep the right access and permissions through time becomes even more difficult.

We’re releasing a major improvement to our SAML/SSO integration capability, to enable automatic granting of project access and roles to users logging-in through SSO, based on declarative rules. With this new functionality, your organization’s users can onboard into Sanity by just logging-in with their corporate credentials and start working immediately, right in the appropriate projects and with the right role. At the same time, you can be sure users always have the right access and permissions across projects, without manual and error-prone work.

Solution Overview

With Enterprise SSO enabled, employees in your organization can securely log in to your Sanity projects using their corporate identity credentials, and instantly get started working on content, with the right project access and role.

Organizations can now use declarative rules provided by a 3P identity provider to log into the Sanity Studio
Organizations can now use declarative rules provided by a 3P identity provider to log into the Sanity Studio

Sanity admins can define declarative rules that determine the projects and the roles a user receives when onboarding (first time they log-in to Sanity through SSO), or on every log-in (ensuring roles and project access is always up-to-date). Rules leverage the “group membership” meta-data field of the user’s record in the corporate identity provider, and support regular expressions to allow both simple and sophisticated cases.

Organizations can now specify group names provided by a 3P identity provider, which map to Sanity roles.
Organizations can now specify group names provided by a 3P identity provider, which map to Sanity roles.

Declarative mapping rules can be configured to be applied upon every log-in of a user, ensuring its project access and roles stay in-sync with the latest user meta-data in the identity provider - for example, ensuring a user removed from a group or offboarded from the corporate identity provider automatically loses previously granted project access and roles. When using this model, a user’s project access and role cannot be modified manually to ensure consistency.

Organizational admins will know if a user is managed by a 3P provider with updates to the members page.
Organizational admins will know if a user is managed by a 3P provider with updates to the members page.

This enhances our robust set of enterprise capabilities, complementing custom CDN domains, dedicated infrastructure and detailed audit logging. Together, these enable you and your organization to leverage structured content at scale while meeting the compliance, security and operational demands of the enterprise.

A composable solution for digital businesses

Sanity’s customizable content solution offers enterprise companies flexibility to support all content, from powering marketing sites, digital signage, rewards programs, and more. Backed by an unparalleled developer experience, teams can flow content across robust APIs that drive critical business functions across any additional apps within a content lifecycle. To get started with Sanity for Enterprise, visit our website and schedule a demo with our team.