Member Management with SSO
When SSO is configured, member management works differently from invitation-based organizations. This guide covers how members join, how to identify their source, and how roles work with SSO.
How Auto-Join Works
When a user signs in through your SSO provider and their email domain matches your organization's configured SSO domain:
- They are automatically added to your organization as a Viewer
- No invitation is required
- Their account appears immediately in the Members list
This applies to both new Intentra users and existing users signing in via SSO for the first time.
Auto-Join Requirements
- The user must authenticate through your IdP (SSO), not via password
- Their email domain must match the domain configured in your SSO settings
- The user must be assigned the Intentra app in your IdP
Source Column
The Members list includes a Source column showing how each member joined:
| Badge | Meaning |
|---|---|
| SSO | Joined automatically via SSO authentication |
| Invitation | Joined by accepting an email invitation |
| Owner | The original creator of the organization |
| Manual | Joined through another method (legacy accounts) |
This helps admins understand the composition of their team and identify SSO-provisioned users.
Invitations with SSO Only
When SSO Only mode is enabled:
- The invitation form is hidden on the Members page
- An info banner explains that access is managed through the IdP
- Existing pending invitations are cancelled when SSO Only is first enabled
When SSO Only is not enforced (SSO enabled but not required), invitations work normally alongside SSO auto-join.
Promoting Auto-Joined Users
Users who auto-join via SSO are assigned the Viewer role by default. To promote a user to Admin:
- Go to the Members page
- Find the user in the members table
- Change their role from Viewer to Admin using the role dropdown
Only existing admins can change member roles. The role change takes effect immediately.
Removing Members
Admins can remove any member (except themselves) from the Members page. With SSO Only enabled, a removed user who is still assigned in the IdP will be re-added as a Viewer on their next SSO sign-in. To permanently revoke access, remove the user from the Intentra app in your IdP.