Applies to these roles: Admin   

Single Sign-On (SSO) allows users to sign in to a single system, such as a company directory, and then access multiple apps without having to sign in to each one with separate credentials. When SSO is enabled for your organization in Rise, you’ll manage users and potentially groups a little differently. To learn more about setting up SSO for your organization, click here.

Rise uses Security Assertion Markup Language (SAML) to authenticate users and supports System for Cross-domain Identity Management (SCIM) to automate user provisioning. You can use SAML on its own or with SCIM for added automation. 

No matter which configuration you use, you can still add non-provisioned users in Rise by following the steps listed here. Just keep in mind that those users aren’t managed by your Identity Provider (IdP) and, in some cases, you might not be able to add them to groups.  

Note: Users managed by your IdP don't receive Rise welcome emails. Once your IdP and Rise are connected, they'll be able to use their SSO-provisioned login to access your site immediately.

Here’s how SSO can affect what you do in the People tab.

Managing Users Authenticated with SAML

If your organization just uses SAML, users managed by your IDP won’t display on the People tab until they first sign in with their SSO credentials. You won’t be able to modify their names or change or reset their passwords in Rise. These users will have an ID icon in their entry. 

If your SSO administrator hasn’t added “Role” as a field in your IdP, or that field contains something other than the standard Rise roles, then the default role for your team will be applied and you can change it as usual. However, if the Role field is later defined in the IdP, that value overwrites the value you set in Rise.

To remove a user, you must first delete them from your IdP. Once they’ve been deleted there, you can remove their record from the Users tab. 

With SAML, your groups are managed in Rise as usual

Managing Groups and Users Provisioned with SCIM

If your organization uses SCIM in addition to SAML, you’ll see users displayed in the People tab after they’re added to your IdP, even if they haven’t yet signed in to Rise. As with SAML, you won’t be able to modify their names or change or reset their passwords in Rise. These users will have an ID icon in their entry. 

If your SSO administrator hasn’t added “Role” as a field in your IdP, or that field contains something other than the standard Rise roles, then the default role for your team will be applied and you can change it as usual. However, if the Role field is later defined in the IdP, that value overwrites the value you set in Rise.

Users who’ve been provisioned by SCIM can only be removed via your IdP, not in Rise. If they’ve created content, you’ll need to transfer it to a different user. Users who have been added to Rise without provisioning can be removed as usual.

When your organization uses SCIM, you can also have IdP-managed groups. Adding and deleting members from these groups must be done in your IdP, and you can’t add non-IdP managed users to them in Rise. 

Note: The communication interval with Rise is governed by your IdP. It might take several hours for you to see changes made in your IdP.

Did this answer your question?