Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Customer-Facing SSO Migration Guide

This guide explains how to prepare your Identity Provider (IdP) and your organization for enabling Single Sign-On (SSO) in the Operations App.

Phase 1 — Preparation

1.1 Customer Responsibilities (Identity Provider)

Before enabling SSO, you must complete the following steps in your Identity Provider (IdP):

Identity Provider setup

  • Identify the IdP that will be used.

  • Ensure each user who will access the Operations App has:

    • a stable IdP identifier

    • a valid email address (strongly recommended).

Access planning

  • Decide whether:

    • all users will migrate at once, or

    • migration will be phased by team, role, or department.

  • Decide which users are allowed to authenticate via SSO for the Operations App.

 

Automatic User Creation After SSO Is Enabled

Once SSO is enabled for the Operations App, new users may be created automatically the first time they successfully sign in using your IdP.

What this means

  • Users do not need to be manually created in the Operations App in advance.

  • A user who is:

    • permitted to authenticate in your IdP, and

    • matches the Operations App SSO configuration
      may be automatically created in the Operations App on first login.

  • User creation happens only after a successful SSO login (Just-In-Time provisioning).

What does not happen automatically

  • Assigning a user to a group in the IdP does not create a user in the Operations App.

  • Users are not bulk-created when SSO is enabled.

  • Users are created only when they actually sign in.

Why this matters:
Group membership in the IdP controls who is allowed to authenticate, not who already exists in the Operations App.

Your responsibility

You are responsible for:

  • Ensuring only intended users can authenticate via your IdP.

  • Reviewing existing Operations App users.

  • Disabling users who no longer require access, especially legacy local users.

If obsolete users are not disabled, they will remain visible and count as active accounts even if they no longer sign in.

Phase 2 — SSO Configuration

Your Services or Implementation team will:

  • Create an SSO configuration targeting the Operations App.

  • Configure trust with your IdP (metadata, certificates).

  • Select the appropriate Operations User template.

  • Validate routing and authentication behavior.

No users are created during this phase.

Phase 3 — First Login and Progressive Migration

  • Existing users authenticate via SSO and are automatically linked to their IdP identity.

  • New users authenticate via SSO and are created automatically if permitted.

  • Users who never sign in are not created.

Phase 4 — Post-Migration Hygiene (Strongly Recommended)

After SSO rollout:

  • Review the Operations App user list.

  • Disable users who:

    • have left the organization,

    • no longer require access,

    • should not authenticate via SSO.

  • (Optional) Enable SCIM de-provisioning to automatically disable users when removed from the IdP.

Summary

Topic

Behavior

Pre-creating users

Not required

IdP group assignment

Does not create users

User creation

Happens on first successful SSO login

Old users cleanup

Customer responsibility

Automatic removal

Optional via SCIM de-provisioning