Provisioning users for enterprise connections

When you set up Kinde with enterprise authentication like SAML or Cloudflare, you’ll want to make sure that users are set up with the correct access and identity from day one. How you do this depends on how you ‘provision’ their enterprise user identity.

Users in Kinde are able to have multiple identities to support all the ways they can sign in, such as via email, social sign-in, etc. However, users managed through enterprise connections can only have an enterprise identity.

Just-in-time (JIT) provisioning for user creation (recommended)

Link to this section

JIT provisioning is the simplest way to add users to Kinde and allow them to authenticate. Rather than importing or pre-provisioning, your users are added to Kinde at the point of their first authentication.

To enable JIT provisioning, select the Create a user record in Kinde option when you set up your enterprise connection.

The first time the user authenticates, Kinde creates a new user record for them with the identity information passed from your IdP.

Pre-provision or pre-create users

Link to this section

Sometimes, JIT provisioning is not the right path or may not be possible. For example:

• The user already exists in Kinde and you’re switching the auth method to SSO.
• You are importing users from another system and there is existing data related to the user you also wish to import.
• You only want to add a sub-set of users from your directory.

Add users to Kinde

Link to this section

In all these cases, the users must first exist in Kinde to implement enterprise SSO.

You can add users to Kinde via import or via API.

All users must have an email address that matches their email with the IdP. This is not necessarily the email identity for sign in, it is purely for initial matching against the IDP provided email.

Users who sign on through multiple enterprise connections

It’s possible that you manage users who can sign in via multiple enterprise connections. In these cases, the user must have a separate profile for each enterprise connection.

Provisioning method 1: Assign a connection identity to a user (recommended)

Link to this section

This method of provisioning requires you to add the enterprise connection as part of the user’s identity in Kinde.

Add the enterprise connection identity via API (coming soon)

Add the enterprise connection identity manually

1. Open a user’s profile and select Add identity.
2. In the window that appears, select Enterprise SSO as the Identity type.
3. Select the relevant Enterprise connection from the list.
4. Enter the user’s email as it appears in the identity provider directory.
5. Select Save. The user’s profile is updated to show only the enterprise connection identity.

Provisioning method 2: Set the connection to trust emails from the IDP

Link to this section

A slightly less secure option is to set the enterprise connection to trust emails from your IdP.

This does save you adding and linking users as per method 1 above, but it also overrides any existing identity information in Kinde (such as email or phone number) with the connection data from the IdP.

To employ this method, select the Trust email addresses provided by this connection option in the connection configuration. Settings > Authentication > Enterprise connections > Configure.

When the user signs in with an SSO connection that provides an email that matches the pre-provisioned users email, we will automatically combine the users. Their original email identity will be removed and from this point on they can only authenticate via the SSO connection.

Troubleshoot SSO issues

Link to this section

We can’t find your account

If a user goes to sign in and encounters the ’We can’t find your account’ message, it could be because Self-joining for the organization is switched off. This is the right behaviour if you don’t want users without the org_id to join the org, but the message is confusing. Switch this on via Organization > Policies.