Plan before you implement
Before enabling SSO or automated provisioning:
Document your current user structure and team organization.
Map your identity provider groups to Tines teams and roles.
Test your configuration in a non-production environment if possible.
Generate recovery codes for all tenant owners.
Prepare communication for your users about the change.
Communicate with your users
Always notify users before making authentication changes. Let them know:
When the change will happen
How their sign-in process will change
Who to contact if they have trouble accessing Tines
Any actions they need to take
Test thoroughly
After configuring SSO or provisioning:
Test sign-in with a regular user account (not your tenant owner account).
Verify that group mappings work correctly.
Check that new users are provisioned with the right teams and roles.
Confirm that deactivated users lose access appropriately.
Monitor and maintain
Authentication isn't a "set it and forget it" task:
Review audit logs regularly for unusual sign-in activity.
Keep your identity provider configuration up to date.
Periodically verify that group mappings still match your organization structure.
Update recovery codes if tenant owners change.
🪄Tip
Document your setup
Maintain documentation that includes:
Your SSO configuration details (without sensitive credentials).
Group mapping rules and the reasoning behind them.
Storage location for recovery codes and access procedures.
Troubleshooting steps for common authentication issues.
Contact information for your identity provider support.
This documentation will be invaluable when you need to troubleshoot issues or onboard a new tenant owner.