Is it necessary for the tenant administrator to manually add users and assign roles after configuring the Single Sign-On (SSO) in Vantage?

Question

Is it necessary for the tenant administrator to manually add users and assign roles after configuring the Single Sign-On (SSO) per tenant in Vantage?

Answer

When logging in using an e-mail address from the specified domain, users will be proposed to authenticate for that tenant even if the account with the specified e-mail does not yet exist in the tenant. If the account does not yet exist in the tenant, it will be created automatically with the Skill User role granted upon the first login and will appear in the list of Users available in Vantage. After the user becomes available in the list, the tenant administrator can adjust the assigned roles if necessary.
Note: Despite the automatic assignment of the Skill User role no skills are selected by default:


Please note, associated e-mail domains are used if the user does not have an account in Vantage, but has an account in the External Identity Provider with which they can log in to Vantage. This domain should be a part of your users' e-mail addresses, e.g. "abbyy.com"

Additional information

Have more questions? Submit a request

Comments

2 comments

  • Avatar

    Edward Bross

    This documentation appears to be incorrect. 

    An SSO user can attempt to log in to their Vantage tenant but will be met with an "Access Denied" message. This will result in an empty user being created within Vantage which requires an administrator to manually grant permissions after the fact, requiring the user to refresh the browser, log off, then log in again in order to properly access Vantage. 

    This statement: "If the account does not yet exist in the tenant, it will be created automatically with Skill User role granted upon the first login, and will appear in the list of Users available in Vantage. ." is incorrect - no roles are granted to the user when they are created via the first SSO logon attempt. 

    0
  • Avatar

    Sławomir Kadula

    HI,
    I would like to confirm what Edward said. If we have enabled synchronization mechanism with IDP and user should be automatically member of skill user (all skills) based on idp groups,  it does not work. We have to manually set it.

    0

Please sign in to leave a comment.