Safeguard.sh Documentation Center
SSO Authentication

Provisioning Policy

Control what happens on first SSO login and whether password login stays available.

Provisioning Policy

The Policy panel next to your provider list controls what happens when someone signs in via SSO for the first time:

ModeBehavior
JIT — auto-link existing accountsA new user is created on first SSO login; if the email matches an existing password account, the two are automatically linked.
JIT — reject conflicts (default)A new user is created on first SSO login, but sign-in is rejected if the email already has a password account, until an admin manually links them.
Invite onlyNo auto-provisioning — the user must already have been invited by an admin before they can sign in via SSO.

Allow password login toggles whether users can still sign in with a password at all. Turn this off once SSO is fully rolled out to require SSO for every login.

On this page