Skip to main content
Golf provides flexible options for managing user access to your organization. You can use Golf’s built-in user management or connect to your existing identity provider for enterprise SSO and automatic group synchronization.

User Management Options

Option 1: Golf User Management

Use Golf’s built-in user management to invite and manage users directly:
  1. Navigate to Settings > Users
  2. Click Invite user
  3. Enter the user’s email address
  4. Select a role (Admin or Member)
  5. Click Send invitation
The user receives an email invitation and can join your organization after accepting. Roles:
RolePermissions
AdminManage users, gateways, and all settings
MemberView and use MCP servers from the dev portal

Option 2: Connect to Your Identity Provider

For enterprise SSO, connect your organization to an external identity provider. This enables:
  • Single sign-on with your corporate credentials
  • Automatic user provisioning
  • Group synchronization for RBAC policies
To configure SSO:
  1. Navigate to Settings > Organization
  2. Find the SSO Configuration section
  3. Click Configure SSO to open the setup portal
  4. Follow the guided setup to connect your identity provider
Supported identity providers include SAML-based providers and OAuth/OIDC providers like Microsoft Entra ID, Okta, and Google Workspace.

Group Synchronization

When connected to an identity provider, Golf Gateway can automatically sync user groups for use in RBAC policies.

How Group Sync Works

  1. Users authenticate via your identity provider
  2. Gateway retrieves the user’s group memberships
  3. Groups are available for Server RBAC and Capability RBAC policies

Configuring Group Sync

Group sync configuration depends on your identity provider:
When using Microsoft Entra ID for SSO, group synchronization is automatic via directory sync (SCIM). Groups are synced in real-time as changes occur in your directory.Setup:
  1. Navigate to Settings > Organization
  2. Click Configure SSO and complete the Entra ID setup
  3. Enable directory sync in the setup portal
  4. Select which groups to sync
Groups appear automatically in RBAC policy dropdowns.

Using Groups in RBAC

Once group sync is configured, use groups in your access policies: Server RBAC:
  • Set allowed_groups to restrict server access to specific groups
  • Set denied_groups to block specific groups from accessing a server
Capability RBAC:
  • Assign groups to individual tools, prompts, or resources
  • Use annotation-based policies to apply group restrictions based on tool characteristics (read-only, destructive, etc.)
See Set Up Server RBAC and Set Up Capability RBAC for detailed configuration.

Troubleshooting

Users can’t sign in with SSO

  • Verify SSO is correctly configured in Settings > Organization
  • Check that the user exists in your identity provider
  • Ensure the user’s email domain matches your organization’s verified domain

Groups not appearing in RBAC policies

  • For Entra ID: Verify directory sync is enabled and the groups are selected for sync
  • For Auth0/Descope: Check that Management API credentials are correctly configured
  • Allow a few minutes for group changes to propagate

User has wrong permissions

  • Verify the user’s group memberships in your identity provider
  • Check that RBAC policies reference the correct group names (case-sensitive)
  • Review the policy hierarchy: organization → gateway → server

Next Steps