Break Glass Access

When SSO is enabled for your organization, all users are expected to authenticate through your identity provider. However, Recomly supports enabling native username/password login for specific accounts to provide break glass emergency access.

What is a break glass account?

A break glass account is a native Recomly credential that lets a designated administrator access the organization when the SSO path is unavailable — for example, if your identity provider is misconfigured, temporarily down, or your organization's directory service is suspended.

Without a break glass account, an identity provider outage means no one can log in to Recomly to investigate or remediate the problem.

Rules for break glass accounts

Break glass accounts have strict requirements. Violating any of these permanently disables the emergency access path.

The break glass email address must never be used with any identity provider

This means:

• Do not sign in to Recomly with Google using the break glass email address.
• Do not sign in to Recomly with a SAML or OIDC configured user.

When a user signs in with Google or a corporate identity provider for the first time, Recomly permanently links that federated identity to their account. Once linked, the password reset flow stops working for that account — even if native login is still enabled. There is no self-service way to reverse this.

Use a dedicated email address for break glass

The safest break glass email address is one that:

• Has no Google account associated with it
• Is not present in your corporate directory
• Is accessible only to the designated break glass holder or a secure vault

Good options: a private address on a personal domain, or a shared mailbox hosted entirely outside your corporate identity provider.

Store the credentials securely

Break glass passwords should be stored in a password manager or secrets vault — not in email or chat. The whole point of break glass is that it works when everything else has failed, so the credentials must be reachable without depending on your normal systems.

Test the account periodically

Passwords that are never used can expire or drift into an unknown state. Confirm that your break glass account can still log in and receive a password reset email at least once per quarter. A break glass account you haven't tested is not a break glass account.

What happens if a break glass account is accidentally federated

If someone signs in to Recomly using Google or a corporate identity provider with the break glass email address, the federated identity is silently and permanently linked to the account. The password reset flow stops working for that address, because the account no longer has a standalone credential.

You will know this has happened because the Recomly login page will show one of the following errors when you attempt a password reset:

Either error means the break glass path is disabled for that account.

Recovering from an accidental link

If the account was accidentally federated, recovery is straightforward as long as you have at least one other organization admin who can access Recomly:

1. That admin deletes the affected user account from the Recomly admin panel.
2. They re-invite the same email address as a new user.
3. A fresh invitation email with a new temporary password is sent to that address.
4. The account is restored as a native credential with no federated links.

The re-invited account starts clean. Any data associated with the old account is not carried over, but for a dedicated break glass account this is typically not a concern.

If the break glass account was your only admin and you are now locked out, you will need to contact Recomly support to perform the recovery on your behalf.

Prevention is the only reliable safeguard. Use a dedicated email address that has no associated Google or corporate identity, and make sure everyone who manages user accounts in your organization knows not to add it to any identity provider.