For {{ech}} deployments, you can configure SSO at the organization level, the deployment level, or both.
The option that you choose depends on your requirements:
| Consideration | Organization-level | Deployment-level |
|---|---|---|
| Management experience | Manage authentication and role mapping centrally for all deployments in the organization | Configure SSO for each deployment individually |
| Authentication protocols | SAML only | Multiple protocols, including LDAP, OIDC, and SAML |
| Role mapping | Organization-level roles and {{ecloud}} resource access roles, Serverless project custom roles | Built-in and custom stack-level roles |
| User experience | Users interact with Cloud | Users interact with the deployment directly |
If you want to avoid exposing users to the {{ecloud}} Console, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly.
In some circumstances, you might want to use both organization-level and deployment-level SSO. For example, if you have a data analyst who interacts only with data in specific deployments, then you might want to configure deployment-level SSO for them. If you manage multiple tenants in a single organization, then you might want to configure organization-level SSO to administer deployments, and deployment-level SSO for the users who are using each deployment.