Single Sign On for Organizations and Multiple Instances

This is an article detailing how to set up SSO if you use an Org-level instance to manage multiple instances. To learn about setting up SSO for a single instance, read this article.

If you have several instances and need to control which ones users will have access to when they log in, you can use the "Instance Membership Rules".

First, you'll need to check the box to enable membership rules. Then, specify the attribute name that your SSO provider will be using to provide the list of groups. Finally, you can specify as many rules as you like. 

Choose which instance the rule will apply to, and what role you'd like the users to have. Then, provide a comma-separate list of group names that should match the groups provided by your SSO provider.

For example, if your SSO provider will be sending groups like "instance1-admin", "instance2-contrib" for a particular set of users, you can create Rules to match those groups names like this:

Then, whenever a user logs in, they will have memberships created at those instances according to the rules.


  • If a user's groups change at the SSO provider, or you make a change to these rules, such that the rules no longer match, then the memberships that previously matched will also be removed. If no rules match, then all the user's memberships will be removed.
  • The memberships for a user are only updated when the user logs in.  If you make a change to the SSO provider, and then view the Kapost memberships, the change will not be reflected right away. Have the user log in first, and then the membership should be listed.

If you have any questions, don't hesitate to email support at

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request