SSO Authentication
Provisioning Policy
Control what happens on first SSO login and whether password login stays available.
Provisioning Policy
The Policy panel next to your provider list controls what happens when someone signs in via SSO for the first time:
| Mode | Behavior |
|---|---|
| JIT — auto-link existing accounts | A new user is created on first SSO login; if the email matches an existing password account, the two are automatically linked. |
| JIT — reject conflicts (default) | A new user is created on first SSO login, but sign-in is rejected if the email already has a password account, until an admin manually links them. |
| Invite only | No auto-provisioning — the user must already have been invited by an admin before they can sign in via SSO. |
Allow password login toggles whether users can still sign in with a password at all. Turn this off once SSO is fully rolled out to require SSO for every login.