This section covers additional requirements for managing users in SSO environments.

Enable SSO

The  requires additional configuration to integrate with your SSO provider. Available methods:

SAML IDPIntegrate the platform with enterprise SAML identity provider. See Configure SSO for SAML.
Native LDAP-ADUsing native functionality in the platform, it can integrate with enterprise LDAP/AD. For more information, see Configure SSO for AD-LDAP.
LDAP-AD via reverse proxy

A reverse proxy server outside of the platform can be set up for integration with enterprise LDAP/AD.

NOTE: This method is likely to be deprecated in a future release.


For more information, see Configure SSO for AD-LDAP.


Configure Auto-Registration

Tip: By default, user auto-registration is enabled. It is recommended.

How users are managed depends on whether auto-registration is enabled:

User Management with Auto-Registration

After SSO with auto-registration has been enabled, you can still manage users through the , with the following provisions:

For more information, See Workspace Users Page.

Disable Auto-Registration

To disable auto-provisioning in the platform, please verify the following property:

  1. Set the following property:

    "webapp.sso.enableAutoRegistration" : false,
  2. Save your changes and restart the platform.
  3. New users of the  must be provisioned by a . See below.

Provision new users under SSO without auto-registration

If SSO auto-registration is disabled, admin users can provision new users of the platform through the following URL:



The user's password is unnecessary in an SSO environment. You must provide the SSO principal value, which is typically the Active Directory login for the user.

User access for reverse proxy method

Users access the application through the  using the standard hostname and the port that you specified:

NOTE: All users must be use this URL to access the . If they use the non-SSO URL, they may receive an Unprovisioned User error.