Break the Glass (Emergency Access)
Break the Glass is an emergency access feature that allows designated administrators to bypass SSO enforcement and log in with their password. This ensures you’re never locked out of NeuralTrust if your identity provider experiences an outage.
When to Use It
- Your identity provider (IdP) is down or experiencing issues
- You need to access NeuralTrust during an SSO misconfiguration
- Emergency situations where SSO login is not working
- IT administrators need guaranteed access for incident response
Always keep at least one break-glass user configured when SSO Enforcement is enabled. Otherwise, an IdP outage could lock out your entire team.
Per-Provider Configuration
Break Glass Users are configured per SSO provider. If you have both Microsoft Entra ID and Generic OIDC configured, each provider has its own independent Break Glass configuration.
- If Microsoft Entra ID is down, users in its Break Glass list can log in with password
- If your OIDC provider is down, users in its Break Glass list can log in with password
- You should configure Break Glass users for each SSO provider you have enabled
How It Works
- Team Owner/Admin adds email addresses to the Break-Glass Users list for each SSO provider
- These users can log in with email + password even when “SSO Enforcement” is ON for that provider
- All break-glass logins are recorded in Audit Logs for security tracking
- Maximum 5 break-glass users per provider (recommended: 2-3)
Normal User vs Break-Glass User
| Scenario | Normal User | Break-Glass User |
|---|
| SSO Enforcement OFF | Can use password or SSO | Can use password or SSO |
| SSO Enforcement ON | Must use SSO only | Can use password OR SSO |
| IdP is down | Cannot log in | Can log in with password |
Prerequisites
Before adding someone to the break-glass list, they must:
| Requirement | Why |
|---|
| Have an existing NeuralTrust account | Must have signed up first |
| Have a password configured | Cannot be SSO-only users |
| Be a member of the team | Must belong to your team |
Break-glass users must have a password set. Users who only signed up via SSO or GitHub cannot be added to the break-glass list until they configure a password.
Configuring Break-Glass Users
Step 1: Open SSO Settings
- Log in to NeuralTrust as Owner or Admin
- Go to Settings → SSO
- Select the SSO provider tab you want to configure:
- Microsoft Entra ID tab
- Generic OIDC tab
Step 2: Enable SSO Enforcement
Break-glass configuration only appears when SSO Enforcement is enabled for that provider.
- In the selected provider tab, toggle Enforce SSO to ON
- You’ll see a warning that password login will be disabled for non-break-glass users
Step 3: Add Break-Glass Users
- The Break Glass Users section appears below the Enforce SSO toggle
- Click Edit to enter editing mode
- Enter the email address of a team administrator
- Click Add — the system validates the user meets requirements:
- ✓ User exists in the system
- ✓ User has a password set
- ✓ User is a member of this team
- Repeat for additional users (recommended: 2-3)
- Click Save
Step 4: Verify Configuration
- You should see the email(s) listed as badges in the Break-Glass Users section
- These users can now log in with password even with SSO enforced for this provider
Step 5: Repeat for Other Providers (If Applicable)
If you have multiple SSO providers configured:
- Switch to the other provider tab
- Repeat Steps 2-4 to configure Break Glass users for that provider
Break-glass access is limited to 5 users per provider. This is a security best practice — emergency access should be limited to essential administrators only.
Validation Errors
| Error | Cause | Solution |
|---|
| ”This user does not exist in the system” | User hasn’t created an account | Have the user sign up for NeuralTrust first |
| ”This user has no password configured” | User only signed up via SSO/GitHub | Have the user set a password via “Forgot Password" |
| "This user is not a member of this team” | User exists but not in your team | Invite the user to join your team first |
| ”Maximum number of users reached” | Already have 10 break-glass users | Remove an existing user before adding a new one |
| ”This email is already added” | Duplicate email | The user is already in the list |
How Break-Glass Login Works
For Normal Users (Not Break-Glass)
- User goes to login page
- Enters email
- System detects SSO is enforced → redirects to “Sign in with Microsoft”
- Cannot use password login
For Break-Glass Users
- User goes to login page
- Enters email
- Enters password
- System checks: Is this email in the break-glass list? ✓
- System checks: Is user a team member? ✓
- Login succeeds with password
- Event logged in Audit Logs
Removing Break-Glass Access
Step 1: Open Break-Glass Settings
- Go to Settings → SSO
- Scroll to Break the Glass Users
Step 2: Remove User
- Click the X or Remove button next to the email
- Click Save Break-Glass Users
- The user will now be required to use SSO like everyone else
Audit Logging
All break-glass activity is logged for compliance and security monitoring.
Events Logged
| Event | Description |
|---|
auth.login.success | Break-glass user logged in successfully (metadata includes isBreakGlassAccess: true) |
auth.login.failure | Break-glass login attempt failed |
Viewing Break-Glass Events
- Go to Settings → Audit Logs
- Filter by Event Type: Login Success
- Look for events with “Break-glass user logged in via password” in the description
Security Best Practices
| Recommendation | Why |
|---|
| Add 2-3 users per provider | Redundancy in case one is unavailable |
| Use owner/admin accounts | They have permissions to fix SSO issues |
| Use strong passwords | Break-glass accounts are high-value targets |
| Test quarterly | Ensure break-glass users remember passwords |
| Document the process | Include in your incident response runbook |
| Monitor audit logs | Review break-glass usage regularly |
FAQ
Q: What happens if my IdP is down and I’m not a break-glass user?
You won’t be able to log in until the IdP is restored. This is why it’s important to configure break-glass users proactively.
Q: Can break-glass users also use SSO?
Yes. Break-glass users can choose either method — password OR SSO. The break-glass setting only enables password as an additional option.
Q: Is there a way to know when break-glass was used?
Yes. All break-glass logins appear in Audit Logs with a specific flag. You can filter for these events to monitor emergency access usage.
Q: What if I remove all break-glass users and SSO goes down?
You would be locked out. Always keep at least one break-glass user configured when SSO Enforcement is enabled.
Q: Does break-glass work with any SSO provider?
Yes. It works with Microsoft Entra ID, generic OIDC providers, and any future SSO integrations. The feature is provider-agnostic.
Q: Can Members be break-glass users?
Yes. Any team member with a password configured can be added to the break-glass list, regardless of their role (Owner, Admin, or Member).
