User Management Options
Option 1: Golf User Management
Use Golf’s built-in user management to invite and manage users directly:- Navigate to Settings > Users
- Click Invite user
- Enter the user’s email address
- Select a role (Admin or Member)
- Click Send invitation
| Role | Permissions |
|---|---|
| Admin | Manage users, gateways, and all settings |
| Member | View and use MCP servers from the dev portal |
Option 2: Connect to Your Identity Provider
For enterprise SSO, connect your organization to an external identity provider. This enables:- Single sign-on with your corporate credentials
- Automatic user provisioning
- Group synchronization for RBAC policies
- Navigate to Settings > Organization
- Find the SSO Configuration section
- Click Configure SSO to open the setup portal
- Follow the guided setup to connect your identity provider
Identity and NameID
Golf identifies and authorizes every SSO user by their email address. When a user authenticates, Golf reads the email claim from the SSO assertion and uses it as the canonical identity: it is the key for organization membership and for resolving the security groups that authorize access (whether groups come from Directory Sync or your identity provider’s directory).Recommended NameID
Configure your identity provider to send the user’s email address as the SSO NameID. The value Golf receives as the email claim must exactly match the email recorded for that user in the directory that supplies their group membership (matching is case-insensitive). Golf does not authorize onuserPrincipalName (UPN), object ID, or any alternate identifier — only the email claim is used for group resolution.
Attribute mapping
Golf consumes the standard SSO profile attribute mapping. All four attributes are required. Map each Golf attribute to the corresponding claim your identity provider emits.| Golf attribute | Microsoft Entra ID (SAML claim URI) | Okta | Google Workspace |
|---|---|---|---|
idpId | http://schemas.microsoft.com/identity/claims/objectidentifier | Details coming soon | Details coming soon |
email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Details coming soon | Details coming soon |
firstName | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Details coming soon | Details coming soon |
lastName | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Details coming soon | Details coming soon |
For OIDC providers, the equivalent claims are
email (→ email), given_name (→ firstName), family_name (→ lastName), and sub or oid (→ idpId). Authorization always keys on the resolved email regardless of protocol.Group Synchronization
When connected to an identity provider, Golf Gateway can automatically sync user groups for use in RBAC policies.How Group Sync Works
- Users authenticate via your identity provider
- Gateway retrieves the user’s group memberships
- Groups are available for Server RBAC and Capability RBAC policies
Configuring Group Sync
Group sync configuration depends on your identity provider:- Microsoft Entra ID
- Auth0 / Descope
When using Microsoft Entra ID for SSO, group synchronization is automatic via directory sync (SCIM). Groups are synced in real-time as changes occur in your directory.Setup:
- Navigate to Settings > Organization
- Click Configure SSO and complete the Entra ID setup
- Enable directory sync in the setup portal
- Select which groups to sync
Using Groups in RBAC
Once group sync is configured, use groups in your access policies: Server RBAC:- Set
allowed_groupsto restrict server access to specific groups - Set
denied_groupsto block specific groups from accessing a server
- Assign groups to individual tools, prompts, or resources
- Use annotation-based policies to apply group restrictions based on tool characteristics (read-only, destructive, etc.)
Troubleshooting
Users can’t sign in with SSO
- Verify SSO is correctly configured in Settings > Organization
- Check that the user exists in your identity provider
- Ensure the user’s email domain matches your organization’s verified domain
Groups not appearing in RBAC policies
- For Entra ID: Verify directory sync is enabled and the groups are selected for sync
- For Auth0/Descope: Check that Management API credentials are correctly configured
- Allow a few minutes for group changes to propagate
User has wrong permissions
- Verify the user’s group memberships in your identity provider
- Check that RBAC policies reference the correct group names (case-sensitive)
- Review the policy hierarchy: organization → gateway → server
Next Steps
- Configure Identity Provider - Set up IdP for MCP client authentication
- Set Up Server RBAC - Control server access based on groups
- Set Up Capability RBAC - Fine-grained tool permissions