> ## Documentation Index > Fetch the complete documentation index at: https://docs.golf.dev/llms.txt > Use this file to discover all available pages before exploring further. # SSO Connections > Configure platform SSO and user management for your organization Golf provides flexible options for managing user access to your organization. You can use Golf's built-in user management or connect to your existing identity provider for enterprise SSO and automatic group synchronization. ## User Management Options ### Option 1: Golf User Management Use Golf's built-in user management to invite and manage users directly: 1. Navigate to **Settings** > **Users** 2. Click **Invite user** 3. Enter the user's email address 4. Select a role (Admin or Member) 5. Click **Send invitation** The user receives an email invitation and can join your organization after accepting. **Roles:** | Role | Permissions | | ------ | -------------------------------------------- | | Admin | Manage users, gateways, and all settings | | Member | View and use MCP servers from the dev portal | ### Option 2: Connect to Your Identity Provider For enterprise SSO, connect your organization to an external identity provider. This enables: * Single sign-on with your corporate credentials * Automatic user provisioning * Group synchronization for RBAC policies To configure SSO: 1. Navigate to **Settings** > **Organization** 2. Find the **SSO Configuration** section 3. Click **Configure SSO** to open the setup portal 4. Follow the guided setup to connect your identity provider Supported identity providers include SAML-based providers and OAuth/OIDC providers like Microsoft Entra ID, Okta, and Google Workspace. ## Group Synchronization When connected to an identity provider, Golf Gateway can automatically sync user groups for use in RBAC policies. ### How Group Sync Works 1. Users authenticate via your identity provider 2. Gateway retrieves the user's group memberships 3. Groups are available for Server RBAC and Capability RBAC policies ### Configuring Group Sync Group sync configuration depends on your identity provider: When using Microsoft Entra ID for SSO, group synchronization is automatic via directory sync (SCIM). Groups are synced in real-time as changes occur in your directory. **Setup:** 1. Navigate to **Settings** > **Organization** 2. Click **Configure SSO** and complete the Entra ID setup 3. Enable directory sync in the setup portal 4. Select which groups to sync Groups appear automatically in RBAC policy dropdowns. For Auth0 or Descope, configure Management API credentials to enable group fetching: 1. Navigate to **Settings** > **Organization** 2. Find **Group Sync Configuration** 3. Enter your Management API credentials: * **Auth0**: M2M application Client ID and Secret * **Descope**: Management Key 4. Click **Save** The gateway fetches groups on-demand during user authentication. ### Using Groups in RBAC Once group sync is configured, use groups in your access policies: **Server RBAC:** * Set `allowed_groups` to restrict server access to specific groups * Set `denied_groups` to block specific groups from accessing a server **Capability RBAC:** * Assign groups to individual tools, prompts, or resources * Use annotation-based policies to apply group restrictions based on tool characteristics (read-only, destructive, etc.) See [Set Up Server RBAC](/gateway/guides/security/setup-server-rbac) and [Set Up Capability RBAC](/gateway/guides/security/setup-capability-rbac) for detailed configuration. ## Troubleshooting ### Users can't sign in with SSO * Verify SSO is correctly configured in **Settings** > **Organization** * Check that the user exists in your identity provider * Ensure the user's email domain matches your organization's verified domain ### Groups not appearing in RBAC policies * For Entra ID: Verify directory sync is enabled and the groups are selected for sync * For Auth0/Descope: Check that Management API credentials are correctly configured * Allow a few minutes for group changes to propagate ### User has wrong permissions * Verify the user's group memberships in your identity provider * Check that RBAC policies reference the correct group names (case-sensitive) * Review the policy hierarchy: organization → gateway → server ## Next Steps * [Configure Identity Provider](/gateway/guides/identity-providers/configure-idp) - Set up IdP for MCP client authentication * [Set Up Server RBAC](/gateway/guides/security/setup-server-rbac) - Control server access based on groups * [Set Up Capability RBAC](/gateway/guides/security/setup-capability-rbac) - Fine-grained tool permissions