New customer onboarding 🪴

important

Check if a new Legion stamp in the customer's region needs to be deployed

High level tasks

1. Create a new org
2. Discuss security requirements with the customer
3. (Optional) Enable SSO

Create a new org

1. Go to the mgmt console:
   • Production org: https://usw2.legionsecurity.ai/mgmt/organization (west-us-2)
   • Dev org: http://localhost/mgmt/organization
2. Create a new organization
   • Set org name to the customer's name
   • Set domain (used to fetch the customer's logo). If not needed, enter a single space character.
   • Add the correct backend url according to the customer's selected region (in dev, use the localhost region already provided in the dropdown)
   • Add the list of admins to invite to the org
3. Copy the new created support user email and password to 1Password
   • Save it under 'Dev' vault
   • The name of the saved credential should be in format Support user - <customer name>.
   • If customer organization requires 2FA, make sure to also save the TOTP secret in 1Password
4. Enable MFA for the non-sso users in the org in WorkOS dashboard (follow the link presented in the mgmt console)
   • Go to https://dashboard.workos.com/environment_01JFVMZ7R9FXCWC3NEQM1GE5JN/organizations/{ORG_ID}
   • Edit organization policy, enabl MFA for non-sso users

Watch the demo of creating a new organization:

After organization is in place

1. Sign in with the internal support user to the webapp to verify the configuration
2. If not done during the org creation step, invite users to the organization via Legion Webapp: Settings > Team members > Add user
   Notice: all users are added with member role by default. The first user to accept the invite will be promoted to admin role automatically. This user can promote other users to admin role as well.

Discuss security requirements with the customer

As part of POV preparation or when scoping POV requirements, cover the following with the customer:

• SSO: Recommend enabling SSO for secure login. This also addresses most conditional access requirements.
• Conditional access: Ask whether they need restrictions such as IP allow lists or access limited to company-managed devices. These are typically solved by enabling SSO.

Enable SSO

In the WorkOS dashboard (https://dashboard.workos.com/) go to the org page and configure:

1. Add the organization's domain (use the customer's primary email domain, e.g., acme.com):

   • Organization → Settings tab → Edit Organization details → Domain

2. Disable automatic membership (important):

   • Organization → Features tab → Domain Policy → Uncheck "Automatically add users with any included email domains as members."
   • Why: If left enabled, any user with a matching email domain is auto-added as a member, bypassing SSO-based role and group assignment.

3. Invite the organization admin to set up SSO:

   • Organization → Features tab → Invite an IT contact to set up this organization
   • When configuring the invite, select only "Single Sign-On" (we already set the domain manually in step 1).

4. Customer admin completes SSO configuration in their IdP: The organization admin receives the WorkOS admin portal invite and uses it to connect their identity provider (Okta, Entra ID, Google Workspace, etc.). They will:

   • Select their IdP from the WorkOS admin portal
   • Follow the IdP-specific setup steps (creating a SAML/OIDC app, mapping attributes, assigning users/groups)
   • Confirm the connection is active in the admin portal

   Once complete, verify on the Legion Security side that the SSO connection shows as active.