Manage email and password authentication

This guide explains how to enable or disable standard email/password logins in favor of Single Sign-On (SSO) and how to regain access if you are locked out.

Overview

Baserow allows administrators to enforce Single Sign-On (SSO) by disabling the standard email and password login method. This ensures all users must authenticate via your corporate identity provider.

By default, Baserow enables “Email and Password” authentication. However, organizations with strict security policies often prefer to disable this to ensure former employees cannot access the system once removed from the corporate IDP (e.g., Okta, Azure AD).

⚠️ Requirement: You cannot disable Email and Password authentication until you have successfully enabled at least one other SSO provider (SAML or OAuth 2). Baserow ensures you always have at least one active way to log in.

Disabling password authentication

To enforce SSO, you must disable the default password provider.

1. Navigate to Admin Panel: Log in as an Instance Admin and click Admin -> Authentication.
2. Verify SSO Status: Ensure your desired SSO provider (e.g., Google, GitLab, Okta) is listed and Enabled (toggle is green).
3. Toggle Password Auth: Locate the Email and Password row.
4. Switch to Disabled: Click the toggle to turn it off (gray).

What happens next?

• For Users: The login form (username/password fields) will disappear. If only one SSO provider is active, visiting the login page will automatically redirect them to that provider’s login screen.
• For Admins: You will also be redirected. To bypass this, see the Emergency Access section below.

Emergency access (Bypass redirect)

If you have disabled password authentication and your SSO provider fails (or is misconfigured), you risk locking yourself and your users out of the instance.

Instance Admins always retain the ability to log in with a password, even if the feature is disabled. To access the hidden login form, you must use a special URL parameter to stop the automatic redirect.

How to use the bypass URL

1. Navigate to your Baserow login URL.
2. Append ?noredirect to the end of the URL.
   • Example: https://baserow.io/login?noredirect
   • Example: https://your-domain.com/login?noredirect
3. Press Enter.
4. The automatic redirect will be suppressed, and the standard Email and Password form will appear.
5. Log in with your Instance Admin credentials.

Note: This bypass only works for accounts with Instance Admin (Staff) privileges. Standard users cannot use this parameter to bypass SSO enforcement.

Frequently Asked Questions (FAQ)

Why is my login page automatically redirecting to Google/Okta?

If you have disabled “Email and Password” and have exactly one SSO provider enabled, Baserow streamlines the experience by skipping the login selection screen and sending the user directly to that provider. To stop this, use the ?noredirect parameter.

Can I disable password login for users but keep it for admins?

Not explicitly. The setting is global. However, the implementation effectively works this way: standard users must use SSO because they cannot use the bypass, while Admins can use the password method via the ?noredirect bypass if necessary.

I disabled password auth and now I can’t log in. What do I do?

Use the Emergency Access method (/login?noredirect). If you have lost your admin password as well, you will need to use the Baserow command line interface (CLI) on your server to reset the admin password.

Related content

• Enable Single Sign-On (SSO)
• Baserow Admin Panel Overview
• SSO Overview

---

Still need help? If you’re looking for something else, please feel free to make recommendations or ask us questions; we’re ready to assist you.

• Ask the Baserow community

• Contact support for questions about Baserow or help with your account.