> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloud.cdata.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User Provisioning and SSO

> Connect AI supports Single Sign-On (SSO) and user provisioning via Just-In-Time (JIT) and System for Cross-domain Identity Management (SCIM).

There are four user onboarding and access management modes available in Connect AI:

* **Individual**–an administrator invites users to the account individually by email.
* **SSO**–enables users to sign in through your chosen SSO instead of using Connect AI login credentials.
* **Just-In-Time (JIT)**–(**available for SSO only**) automatically places users into the licensed organization's account with a Query system role and default connection/workspace permissions.
* **SCIM**–standardizes the process of granting or removing access from Connect AI.

## SSO

Connect AI supports the following SSO providers. When you onboard with Connect AI, CData provides a self-service link that explains how to set up your SSO provider. Click the link to view FAQ/Troubleshooting information for each SSO provider.

* [SAML](/en/SAMLTroubleshooting)
* [OpenID Connect](/en/OpenIDConnectTroubleshooting)
* [Google Workspace](/en/GoogleWorkspaceTroubleshooting)
* [Microsoft Entra ID](/en/MicrosoftEntraIDTroubleshooting)
* [Active Directory Federation Services (ADFS)](/en/ADFSTroubleshooting)
* [Active Directory/LDAP](/en/ActiveDirectoryLDAPTroubleshooting)
* [PingFederate](/en/PingFederateTroubleshooting)
* [Okta Workforce Identity Cloud](/en/OktaTroubleshooting)

To enable SSO for your account, contact [CData Support](https://www.cdata.com/support/submit.aspx).

## JIT

JIT provisioning automatically creates a user account the first time someone successfully authenticates through SSO. The Connect AI Administrator does not have to invite the user manually. The new user receives a default system role of Query and default connection and workspace permissions. An Administrator or User Administrator can modify the roles and permissions later. See [Permissions and Access Control](/en/Permissions) for details on user roles and permissions.

Enable JIT on the **Settings** page (the **Account** tab) by turning on **Just-In-Time (JIT) provisioning**.

<Note>Your account must already have SSO configured to enable JIT provisioning.</Note>

If the new user's SSO login reaches the maximum number of seats, the user's provisioning is denied. The Administrator receives an alert.

## SCIM

The System for Cross-domain Identity Management (SCIM) is a standard for managing user provision, update, and deletion in cloud-based applications. It allows you to use your company's identity provider, such as Okta or Entra ID, to provision, update, and delete users securely in Connect AI.

Connect AI currently supports SCIM provisioning with the following identity providers:

* Microsoft Entra ID
* Okta Workforce Identity Cloud
* Custom IdP (configured via SAML or OpenID Connect)

The following SCIM providers are NOT supported:

* PingFederate
* Google Workspace
* Active Directory Federation Services (ADFS)
* Active Directory/LDAP

To enable SCIM, contact [CData Support](https://www.cdata.com/support/submit.aspx).

### User Provision, Update, and Deletion

When you provision SCIM, CData Support supplies a unique base URL following this format: `https://{your-domain.com}/scim/v2`. The URL endpoint contains the necessary user metadata. All SCIM endpoints require an `Authorization` header with a `Bearer` token.

To provision a new user, `POST` to your unique SCIM endpoint. The system provisions the user in Connect AI. There is no need for the user to verify via email. The new user has a default role of Query user. See [Users](/en/Users) for details on user types. The new user only has access to connections that have user-defined credentials turned on.

To update a SCIM user's name and email, use `PATCH` with the SCIM endpoint. When a SCIM update user request comes in, the system updates the information in Connect AI.

To delete a user, use `DELETE` and your unique SCIM endpoint. The SCIM delete event calls the delete endpoint.

The Connect AI [Audit Log](/en/Logs#audit-log) displays SCIM user provision, update, and deletion.
