Skip to main content

Stronger sign-in controls for SSO and 2FA

Boldo authentication is now more precise at the organization level. The same account can use email and password in one organization and SSO in another, while each organization can decide which sign-in methods are allowed.

Organization-aware sign-in

Boldo now checks the method used by your current session against the organization you are opening.

This matters most when an organization requires SSO:

  • Email-password sessions cannot open an SSO-required organization; the organization selector shows the required method so users can sign back in with the matching SSO provider.
  • SSO sessions can open only the organizations that trust that SSO provider.
  • If a sign-in method is disabled for a member, that method can no longer open the organization.

Read Log in to Boldo and Join or select an organization for the user flow.

Member sign-in methods

Administrators can review each member's available sign-in methods from the Users page. Methods can be disabled, re-enabled, or removed while keeping guardrails in place:

  • The organization owner methods are locked.
  • A user cannot disable or remove the method used by their current session.
  • SSO-required organizations do not allow email-password methods to be re-enabled.
  • New SSO access comes through the identity provider, not manually from the user form.

For details, read Users.

2FA and SSO work together cleanly

Boldo 2FA applies to email-password sessions. When an organization enforces 2FA, email-password users must enable it before entering the organization. SSO users continue to rely on the MFA policy configured in the identity provider.

Administrators using email and password must enable 2FA before enforcing it for the organization. Administrators signed in through SSO can manage the setting without enrolling in Boldo 2FA.

Read Account authentication and Organization security.

API access follows member status

API keys now stay aligned with the owning member's organization access.

If a member loses all active sign-in methods, their API keys stop working. If a member is removed from an organization, Boldo also removes their organization-owned API keys.

Read API for integration details.