- Individual–an administrator invites users to the account individually by email.
- SSO–enables users to sign in through your chosen SSO instead of using Connect AI login credentials.
- Just-In-Time (JIT)–(available for SSO only) automatically places users into the licensed organization’s account with a Query system role and default connection/workspace permissions.
- SCIM–standardizes the process of granting or removing access from Connect AI.
SSO
Connect AI supports the following SSO providers. When you onboard with Connect AI, CData provides a self-service link that explains how to set up your SSO provider. Click the link to view FAQ/Troubleshooting information for each SSO provider.- SAML
- OpenID Connect
- Google Workspace
- Microsoft Entra ID
- Active Directory Federation Services (ADFS)
- Active Directory/LDAP
- PingFederate
- Okta Workforce Identity Cloud
JIT
JIT provisioning automatically creates a user account the first time someone successfully authenticates through SSO. The Connect AI Administrator does not have to invite the user manually. The new user receives a default system role of Query and default connection and workspace permissions. An Administrator or User Administrator can modify the roles and permissions later. See Permissions and Access Control for details on user roles and permissions. Enable JIT on the Settings page (the Account tab) by turning on Just-In-Time (JIT) provisioning.Your account must already have SSO configured to enable JIT provisioning.
SCIM
The System for Cross-domain Identity Management (SCIM) is a standard for managing user provision, update, and deletion in cloud-based applications. It allows you to use your company’s identity provider, such as Okta or Entra ID, to provision, update, and delete users securely in Connect AI. Connect AI currently supports SCIM provisioning with the following identity providers:- Microsoft Entra ID
- Okta Workforce Identity Cloud
- Custom IdP (configured via SAML or OpenID Connect)
- PingFederate
- Google Workspace
- Active Directory Federation Services (ADFS)
- Active Directory/LDAP
User Provision, Update, and Deletion
When you provision SCIM, CData Support supplies a unique base URL following this format:https://{your-domain.com}/scim/v2. The URL endpoint contains the necessary user metadata. All SCIM endpoints require an Authorization header with a Bearer token.
To provision a new user, POST to your unique SCIM endpoint. The system provisions the user in Connect AI. There is no need for the user to verify via email. The new user has a default role of Query user. See Users for details on user types. The new user only has access to connections that have user-defined credentials turned on.
To update a SCIM user’s name and email, use PATCH with the SCIM endpoint. When a SCIM update user request comes in, the system updates the information in Connect AI.
To delete a user, use DELETE and your unique SCIM endpoint. The SCIM delete event calls the delete endpoint.
The Connect AI Audit Log displays SCIM user provision, update, and deletion.