Skip to main content

SSO User Provisioning

When users authenticate via SSO for the first time, their user account is automatically created based on the information provided by your identity provider.
Automatic Account Creation: New users are automatically added to your organization when they successfully authenticate via SSO, provided their email domain is configured for SSO.

User Roles and Permissions

SSO users are automatically added to your organization with default member permissions. However, there are important considerations for workspace access:
Important: New SSO users are added to the organization but are not automatically assigned to any workspaces. They will need to be manually added to workspaces through the Ravenna app.

Organization-Level Permissions

New SSO users default to Member role at the organization level. To modify their organization role:
  1. Navigate to Organization SettingsMembers
  2. Find the SSO user in the organization member list
  3. Update their organization role (Member, Admin, etc.) as needed

Workspace Access

After SSO authentication, users will need workspace access:
  1. Navigate to the specific workspace
  2. Go to Members within that workspace
  3. Add the SSO user to the workspace
  4. Set their workspace role and permissions as needed

Deactivating SSO Users

When employees leave your organization:
  1. Remove from IdP: Deactivate or remove the user from your identity provider
  2. Automatic deactivation: The user will no longer be able to authenticate via SSO
  3. Manual cleanup: Optionally remove the user from organization settings

Custom Attribute Mapping

For complex organizational structures, you may need custom attribute mapping: 
// Ravenna supports these custom user attributes:
{
  "given_name": "John",
  "family_name": "Doe",
  "groups": ["Engineering", "Admins"],
  "manager": "jane.smith@company.com",
  "department": "Engineering"
}

Configuring Attribute Mapping

Work with your identity provider administrator to ensure these attributes are included in the authentication response and properly mapped to your organizational structure.

Best Practices

User Access Reviews

  • Regular audits: Periodically review SSO user access and remove inactive accounts
  • Role validation: Ensure users have appropriate permissions for their current role
  • Workspace membership: Verify users are in the correct workspaces

Emergency Access

Always maintain emergency access to your organization:
Important: Ensure at least one organization admin account uses password authentication as a backup method in case SSO becomes unavailable. This account must not have the same email domain as your SSO-managed domains.