Documentation

What if a SAML user logs in when they have a local account already?

Authentication
Updated Dec 13, 2025

When a user who already has a local account (with username/password) signs in via SAML SSO for the first time, ChangeBreeze automatically converts their account to a SAML-only account.

What happens during conversion

  1. User initiates SAML login - The user clicks "Sign in with SAML SSO" and authenticates with their Identity Provider (e.g., Azure AD, Okta)
  2. Email matching - ChangeBreeze matches the email address from the SAML assertion to the existing local account
  3. Password disabled - The user's local password is automatically disabled
  4. Account becomes SAML-only - From this point forward, the user can only authenticate via their organisation's Identity Provider

Why we do this

  • Security - Prevents users from bypassing SSO policies by using local passwords
  • Consistency - Ensures all authentication goes through the organisation's IdP where MFA and conditional access policies are enforced
  • Compliance - Supports organisations that require centralised authentication management

What SAML users cannot do

Once converted to a SAML account, users:

  • ❌ Cannot reset their password via the "Forgot Password" link
  • ❌ Cannot change their password in account settings
  • ❌ Cannot sign in with email/password

Converting back to a local account

If a user needs to be converted back to a local account (e.g., leaving the organisation but retaining access), an administrator must:

  • Delete the user account from ChangeBreeze
  • Re-create the user as a local user with a new password
  • The user will receive a temporary password and be prompted to change it on first login

Note: There is no direct "convert to local" function. This is intentional to prevent accidental security policy bypasses.

Previous

Managing Global User Permissions for Sub Company / Tenant Accounts
Next

No next article

Related Articles

Authentication

Account Permissions

ChangeBreeze's role-based permission system provides: Flexibility: Six distinct roles to match your organizational structure Security: Separation of duties and principle of least privilege ITIL Compliance: Roles aligned with ITIL change management best practices Scalability: Works for small teams and large MSPs alike Auditability: Complete logging of all permission-based actions
Authentication

Enforcing Multi-Factor Authentication for All Users

Enforcing MFA protects your organization by adding a layer of security beyond passwords. Admins can enable it in ChangeBreeze’s Organization settings. SAML-authenticated users may already have MFA via their identity provider and can be excluded from additional enforcement.
Authentication

How to enable MFA for local accounts

Steps to Enable Multi-Factor Authentication (MFA) for Enhanced Account Security
Authentication

How to setup SAML authentication with Microsoft Entra

This guide walks you through setting up SAML Single Sign-On (SSO) for ChangeBreeze with Entra ID, allowing users to log in automatically using their company credentials. By integrating with your existing identity provider (such as Entra ID), ChangeBreeze can provide a secure and seamless login experience without the need for separate passwords. Once complete, users can access ChangeBreeze instantly through their organization’s sign-in portal, improving both security and convenience.
Authentication

Managing Global User Permissions for Organizational Accounts

In a multitenant system with organizational user accounts, permissions are global and apply to all sub-companies within the organization. Any permissions set at the organizational level automatically cascade to the sub-companies. User accounts can have roles set during their creation, with the option to edit these roles later from the User Management page. Editing a user's role will update their role across all companies within the organization, override any custom role settings at the company level, and take effect immediately.