Skip to main content

Single Sign-On Modes in Falcon – Settings, Management and Best Practices

This article explains the three SSO modes (Optional, Individual, and Mandatory), the permissions for Owners, IT Admins, and Users in each mode, and how to resolve issues if something goes wrong.

Jonas Steeger avatar
Written by Jonas Steeger
Updated over 2 weeks ago

Single Sign-On (SSO) in Falcon – Settings, Management and Best Practices

The Three SSO Modes in Falcon

Falcon provides three modes that determine how strictly provider authentication is enforced: Optional, Individual, and Mandatory.

1. Optional

In Optional mode, users can freely choose whether to enter the Hub with or without a provider.

  • Owners and IT Admins can invite users both with and without a provider. In the user management menu, they can also assign or reset a provider at any time via the right-click menu.

  • Users also have flexibility: they can unlink themselves from a provider by right-clicking on the Hub in the lobby and selecting “Reset Single Sign-On”.

This mode is highly flexible and is particularly useful if you are just starting out with SSO or want to roll it out gradually.

2. Individual (recommended)

The Individual mode represents a middle ground and is Falcon’s recommended setting.

  • Owners must assign a provider when inviting new users. Later resets of this assignment are no longer possible. They also lose the ability to reset Single Sign-On in the lobby.

  • IT Admins retain full flexibility. They can still manage exceptions – for example, external consultants or test accounts – that can access the Hub without provider authentication. IT Admins can also reset their own login if needed.

  • Users must authenticate using their assigned provider. They can no longer reset their login themselves.

This mode provides security and control without closing the door completely for necessary exceptions. For most organizations, this is the best balance.

3. Mandatory

In Mandatory mode, every user must use the provider to access the Hub. No exceptions are allowed.

  • Owners behave much like in Individual mode.

  • IT Admins must assign a provider to every new user. They can no longer reset provider assignments – not even for themselves. They are also required to log in via the provider at all times. This carries a risk: if the provider configuration is incorrect, they may lock themselves out of the system.

  • Users must always use their assigned provider.

Because there is no fallback option, Falcon displays a warning when switching to this mode. A special caution here is the so-called “Log in with this provider” option: this is not a test but a full login with permanent effects. If the provider is misconfigured and the Hub is already set to Mandatory, the administrator will be locked out with no self-service recovery.

This mode should only be used if you have a rock-solid, long-term stable provider configuration and no external exceptions are needed.

Assigning and Resetting Providers

Providers can be reset at two different levels:

  1. User account level

    • This resets the user’s identity but keeps the provider assignment intact.

    • The user must re-confirm their identity via email but will still need their assigned provider to access the Hub.

  2. Hub (lobby) level

    • This resets the provider assignment for the Hub itself.

    • Afterward, the Hub can be accessed without provider authentication again.

    • The user identity remains unchanged.

To reset at Hub level, right-click the Hub in the lobby and select “Reset Single Sign-On”.

Typical Scenarios and Consequences

  • User without a provider assignment
    can always access the Hub without a provider. However, if they enter the Hub via a provider link, they will automatically be assigned – regardless of role or SSO mode.

  • User with a provider assignment
    must always log in using that provider. If the provider configuration is broken, the user is locked out until it is fixed.

What to Do if an IT Admin Gets Locked Out

If an IT Admin locks themselves out because of an incorrect provider configuration, there is a clear recovery path:

  1. Access the Hub via the Admin Console (requires Falcon Support to have Hub access).

  2. Change the SSO mode from Mandatory to Individual.

  3. In the lobby, right-click the Hub and select “Reset Single Sign-On”.

  4. The IT Admin can now re-enter the Hub and fix the configuration.

Important: All other users remain locked out as long as their provider is broken, since they cannot unlink themselves.

Best Practices for Using SSO in Falcon

  • Use the Individual mode whenever possible. It combines strong security with needed flexibility and prevents accidental lockouts.

  • Never test or change provider settings while in Mandatory mode unless you are 100% sure the configuration is correct.

  • Keep clear documentation of which providers are assigned to which users and establish an escalation path in case of errors.

  • Train Owners and IT Admins in how to use the functions “Assign Identity Provider” and “Reset Single Sign-On” correctly.

👉 With this, you have a full overview of how SSO works in Falcon, how to configure it, and how to resolve common issue

Related Articles
Falcon for administrators
Did this answer your question?