Skip to main content
Skip table of contents

SSO User Auto-Provisioning

SIEM management and auditing functions require every Web Console user to be associated with a Person record and Login field in the Client Console.

If the SIEM cannot identify these user associations during a Single Sign-On (SSO) login, the SIEM will auto-provision a new user.


During a Single Sign-On (SSO) login, the SIEM identifies user associations by comparing the following fields:

FieldLocationPortal/Console
nameIDSAML assertionIdentity Provider (IdP)
LoginPeople tab in the Deployment ManagerClient Console
For an SSO user to successfully log in to the Web Console, the Login field from their Person record in the Client Console must match the nameID field from the IdP SAML assertion.


If the SIEM cannot identify a Person record with a Login field that matches the nameID field from the Identity Provider (IdP), the SIEM creates a new Person record and associated User Login record with the following values:

Person Record FieldValue
NameFirst name and last name of the user provided in the IdP.
LoginEmail address for the user provided in the IdP.

Auto-provisioning will fail if the Name field in an existing Person record contains the same unique combination of first name and last name provided in the IdP. In this case, a SIEM administrator must modify the existing Person record by updating the Name field with a different combination of first name and last name. For subsequent SSO logins, this user will be associated with the auto-provisioned user.


SSO Auto-Provisioning and Client Console Accounts

SSO auto-provisioned users who did not previously exist in the Client Console may initially only log in to the Web Console via SSO because the SSO auto-provisioned user is assigned a random, complex, and unknowable password on first login. If these users want to use their SSO auto-provisioned account to log in without SSO, either to the Client Console or the Web Console, a SIEM administrator can execute the following procedure:

Before executing this procedure:

If you want the SSO auto-provisioned user's new password to be synched with Active Directory, you must first create this user login using either Active Directory Group-Based Authorization or manually creating a Person record tied to a Windows/AD account.


  1. Log in to the Client Console as a SIEM administrator.
  2. On the main toolbar, click Deployment Manager.
  3. Click the People tab.
  4. Right-click on the user's Person Record, and then click User Account Properties.
  5. Before proceeding, make sure you understand the Enforce Password Policy setting and the implications of changing it.

    Enforce Password Policy

    The Enforce Password Policy settings are retrieved from Windows Local Security Policy. (You can view this policy with the Windows MMC Local Security Policy (secpol.msc) in the Password Policy folder.) The default setting for Minimum Password Age is 1 day. If the SIEM administrator resets a user password with this default setting, the user cannot change their own password for 1 day unless the SIEM administrator disables the Enforce Password Policy. When the SIEM administrator changes the Enforce Password Policy setting, the following warning message is triggered:

    You have chosen to change password policy enforcement. This will require you to reset the user password. If you wish to continue with this operation, click OK. Otherwise click Cancel.

    The SIEM administrator can disable the Enforce Password Policy setting and immediately change the user's password. However, if the SIEM administrator later re-enables this setting, the warning message is triggered again and the password must be reset again.

    If the SIEM administrator does not want to disable the Enforce Password Policy setting, there are two options:

    1. After resetting the user's password, the user must wait 1 day to change it.

    2. The SIEM administrator can set the Minimum Password Age to 0 days, and the user can change their password immediately. This option is not available to LR Cloud customers.

  6. In Account Options, set Enforce Password Policy based on your preferred option as outlined in the above note.
  7. After changing the user's password, give them their temporary password.
  8. The user must login to the Web Console via SSO using their normal SSO credentials.
    1. Upon successful login with SSO credentials, the user must then change their password to the temporary password provided by the SIEM administrator.
    2. In the User Options menu, click Settings, then click Change Password.
    3. Enter the temporary password in the Old Password field.
    4. Enter the desired new password in the New Password field.
      This new password will be used to log in to the Client Console.
    5. Click Save.

The new password will not be synchronized with Active Directory and must be manually updated. If the user wants their password synchronized with Active Directory, you must first create this user login using either Active Directory Group-Based Authorization or manually creating a Person record tied to a Windows/AD account.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close