Set Up User Access | Rinami Knowledge Garden

Overview

The first step in setting up user access to the Cantara Administration Console is to define how users authenticate and how their accounts are managed. Cantara supports local accounts, Single Sign-On (SSO) through an external Identity Provider (IdP), and SSO through an IdP with SCIM provisioning.

Comparison of Authentication and User Management Options

The following table summarises how each setup affects ongoing user and group management in Cantara:

Setup Type	Authentication	User & Group Management	Notes
Local Accounts	Cantara login	Managed in Cantara	Users and groups are created and maintained directly in Cantara.
SSO with IdP only, no SCIM	Identity Provider	Managed in Cantara	The IdP is used for authentication only. Users must exist in Cantara.
IdP + SCIM	Identity Provider	Managed in IdP (synced to Cantara)	Users and groups are provisioned from the IdP into Cantara via SCIM.

These options determine how users log in to the console. They do not control user permissions within Cantara.

Authentication Options

Users can authenticate to the Cantara Administration Console using one of the following methods

Local Accounts (Managed in Cantara)

Administrators create and manage user accounts directly in Cantara.

Users log in with credentials stored in Cantara
All user lifecycle management is handled within Cantara

For setup instructions, see Add an Account in Cantara.

Integrate with an IdP (SSO only)

Cantara integrates with external IdPs such as Microsoft Entra ID or Okta using OAuth 2.0 or SAML to enable SSO. With SSO enabled, users authenticate via the IdP and sign in using their corporate credentials. A corresponding user account must exist in Cantara to allow access to the Cantara Administration Console.

This setup involves two parts:

Set up user accounts in Cantara

User accounts are created in Cantara to allow users to access the platform. For setup instructions, see Add an Account in Cantara.

Integrate with an IdP

Cantara is connected to an external IdP to enable SSO authentication using corporate credentials. For setup instructions, see Integrate with an Identity Provider.

NOTE: User accounts must exist in Cantara to enable access to the platform, even when using an IdP for SSO.

Integrate with an IdP + SCIM provisioning

Authentication is handled by an external IdP using SSO. User accounts and group memberships are managed in the IdP and automatically provisioned to Cantara using SCIM.

This setup involves two sequential steps:

Integrate with an IdP

Configure an IdP to enable SSO authentication using corporate credentials. For setup instructions, see Integrate with an Identity Provider.

Configure SCIM provisioning

Once the IdP is configured, SCIM is enabled to provision users and groups from the IdP into Cantara. For setup instructions, see Set Up User Provisioning.