Enforcing SSO

A step by step guide to enforcing SSO for Trello Enterprise.

Enforcing SSO

Trello offers SSO both as a convenience feature and as an enforced security measure. By default, SSO is enabled as a convenience first—if you plan to require your users to use SSO, you will need to work with your account management team to enforce SSO.

To enforce SSO, users will need to first transfer ownership of their account to your enterprise. This process allows users to confirm that they understand that, once SSO is enforced, they will only be able to log in with SSO—and, if they lose access to the SSO login, they will no longer be able to access their Trello content.

Everyone in your team will need to transfer ownership before SSO can be enforced. We offer two ways to do this: a due date banner within the app, and a manual link that you can send to users.

Due Date Method

The method that we recommend is working with your account management team to set a due date to enforce SSO. This method will allow you to set a due date on which SSO will become enforced for your enterprise. Users will see a banner in the app with instructions telling them how to transfer ownership of their account/connect SSO. If they don’t do that, they will be deactivated from the enforced SSO team(s) (losing access to team content) until they transfer ownership of their account.

  1. First, you will want to work with your account management team to pick a due date on which you plan to enforce SSO. They will configure this date for your account.
  2. Once the due date is in place, a banner will show to the members of all if the teams included in your enterprise. Board members that are not in your team will not see the banner. The banner will look similar to this:
  3. When your users click “Let’s get started,” they will be brought to the transfer page for your enterprise. Clicking “I’ll do this later” will collapse the banner.
  4. The transfer page will prompt your users to confirm that they’re okay transferring ownership of their account to your enterprise. They will have to first log in with SSO if they haven’t yet. Users who haven’t logged in with SSO before will see:
  5. Your Technical Account Manager can provide more information on how to log in via SSO, if your users are not sure how to do so. Once the user has logged in with SSO, that transfer page will instead show:
  6. Once your end users have clicked “Convert my account,” they do not need to take any further action.
  7. On the due date, your enterprise will be converted to an enforced-SSO enterprise. Users in your team will have to log on with SSO. Users who do not transfer ownership of their account before the due date will be deactivated from the team, and will see this banner until they do go through the transfer/conversion process:

Manual URL Method

If you prefer not to go through the due date method, we do also offer the option for you to manually send the transfer/conversion link to your team members so that they can go through the process on their own without seeing a banner. The conversion process is the same as in steps 4 and 5 above.

Your account management team will provide you with a link where you can check which members of your enterprise have not yet converted their accounts. They will not be able to convert your enterprise to an enforced SSO enterprise until everyone has either converted their accounts or been removed from the team. Reach out to your account manager for more information.

Next Up: Security Reviews →