Manage an organisation

Organisations on Northflank allow you to manage multiple teams. You can provision and manage users by syncing your user directory, add your own single sign-on (SSO) identity provider, and configure security for your organisation.

You can create an organisation in the Northflank application from your user dashboard's organisations page.

You can also schedule a call to discuss on-boarding your organisation to Northflank, and selecting the right plan for your needs.

Restrict teams and members

In your organisation settings you can:

• prevent members of your organisation from joining teams on Northflank that do not belong to your organisation
• prevent users that are not members of your organisation from being added to organisation teams
• restrict organisation invites to email addresses at your linked domains (if you have configured single sign-on)

Multifactor Authentication

You can enable require MFA from your organisation's security page to enforce multifactor authentication for your organisation members. Organisation members will be prompted to set up an authenticator application for their Northflank account before they can access Northflank, and they will need to enter their one-time passcode on every log in attempt.

You can also set a maximum login session duration in hours, which will automatically log organisation members out and require them to re-authenticate after the time period.

Clear member login sessions

You can clear member login sessions from your organisation's security page to immediately log out all user accounts from your organisation.

You can manage user roles on an organisational level to ensure compliance with your security policies, restrict users to specific teams, and grant organisational permissions.

You can add your payment method and tax ID for an organisation to manage billing for all teams in the organisation.

As well monitoring spend by project and resource type, you can also monitor spend by team.

Invoices for each team's usage can be downloaded from the team billing page.

You can link your existing authentication with Northflank to allow your users to sign in using SSO.

Northflank uses WorkOS SSO to integrate Northflank with your identity provider using SAML and OpenID Connect (OIDC).

To enable single sign-on, follow these steps:

• While viewing an organisation, navigate to Settings.
• Under Single Sign On, enter one or more domain names associated with your organisation, e.g. example.com. You should input all the domain names that are associated with the email addresses of organisation members.
• Optionally, you can Allow port security SSO with external domains. This does not affect organisation members signing into Northflank, but can allow users with external domains in your identity provider to access services, if enabled for that service.
• Then, you can Set-up SSO. This will redirect you to the single sign-on setup, provided via WorkOS. Follow the instructions on the pages provided. At the end of the setup, you will be prompted to test the connection. When this test succeeds, your identity provider will be linked to Northflank.

Users from your identity provider can now sign up and log in to Northflank. To avoid logging in via a non-SSO account, users should log in via the Log in with Organisation Single Sign On option on the login page, or navigate to https://app.northflank.com/sso-login .

Some identity providers also support directly logging in via your organisation’s external dashboard.

By default, accounts are created via JIT (Just In Time) provisioning - accounts are not created automatically and will instead be created when a user signs in for the first time.

When a user logs in to Northflank for the first time via SSO, they will automatically be a member of the organisation. Additionally, these users cannot create teams or resources that do not belong to the organisation, and cannot leave the organisation without deactivating the account.

To reconfigure the settings provided during setup, click the Configure SSO button. To disable Single Sign-On, click Disable SSO.

Converting an existing account

A team member with an account that was not created through SSO must continue to log in via username and password. However, an organisation admin can convert their existing account to a SSO account. On the Members page, select the user you wish to convert to SSO. In the top right, click the Convert to SSO button. The user can then log in to Northflank via SSO, and their account will no longer be able to be accessed via username and password.

Configuring SSO Settings

After linking your identity provider you can also select how users can be invited to teams in your organisation:

• Select SSO only to disable manual invites. This will prevent users in the organisation from inviting users by email address. Users will only be able to sign up via your SSO.
• Enable require approval for any SSO sign-ups. When a user creates an account using SSO they will be added to a queue until their request is confirmed or rejected. This conflicts with automatically provisioning users with directory sync, and cannot/should not be enabled at the same time.

You can sync your user directory with Northflank to update users on Northflank based on their directory groups.

You can enable Automatically provision organisation members to automatically provision organisation users on Northflank. You can restrict automatic provisioning to selected directory groups, so only users for teams using Northflank are automatically created.

Roles can be synced with directory groups to enable you to assign and remove roles from users by updating their directory groups.

Northflank uses WorkOS Directory Sync to integrate Northflank with your directory. You must have enabled single sign-on to use directory sync.