In this article:

    What it is:

    IdP plus Social login allows you to both 1) sync users from your IdP (Identity Provider) as well as 2) invite them directly to your network/tenant and have them authenticate via the social login options we support.

    For example, you can now sync your Okta tenant while also inviting your contractors to Twingate, having them use LinkedIn or Google to sign in to their respective accounts.

    Why we built it:

    We know that our customers today do not always have all of their users neatly packaged into a single IdP. The most common case is that companies have their internal team on an IdP, but then support external members (contractors, test accounts, etc) separately from their IdP. Another case we occasionally hear is that customers are supporting multiple IdPs altogether (e.g. multiple Google Workspaces or Okta instances). Commonly this is due to acquisitions, subsidiaries, etc.

    This feature supports the common case: companies that have an internal IdP and then a few straggler users not in their IdP. With this, admins can sync up their IdP and then invite their contractors separately to make sure they’re still configured under Twingate.

    How-to for customers:

    In order for you to access this feature, you will need to reach out to us to have the feature enabled for your network/tenant. Once enabled, the experience will be as follows:

    What your administrator team sees:

    01_users.png

     

    From the Teams tab, administrators will be able to select “Add user” to invite a person directly to their tenant. They just need their email to invite that user.

    For users that are added directly, admins will also have additional management capabilities:

    • Edit - name
    • Disable
    • Remove

       02_idp_user.png    03_social_user.png

    After the user has logged in, there will be a difference between the user type in the user list. Synced users (left) will have an additional icon on their user icon that shows which IdP they’re coming in from. Users added directly (right) won’t have any logo.

    One important thing to note is that if an administrator has a user synchronized via IdP and then adds them directly, this will constitute two separate accounts. Users can only authenticate via the login option connected with their account, and if there are two accounts with the same email, we will route them to the account based on how they authenticate.

    End user experience

    When a user is signing into a tenant with an IdP plus at least one user that’s invited directly, users will see this login screen that offers to sign in through 1) the IdP or 2) social login options:

    Reminder: users will ONLY be able to sign in via the option that their account was set up with. If they were set up via IdP (even Google Workspace sync), they will NOT be able to use “Sign in with Google.”

    Users synchronized through the IdP should select that option; other users added directly should select “Show additional sign in options”

    Selecting additional sign-in options shows the screen on the left; selecting IdP shows the screen on the right. After the user signs in, they will be all set!