Maintaining User Identities

Even when SSO is enabled, every user still has a local xAssets user record with an internal password. This page explains how user records work in an SSO environment, including password management, auto-creation of users, and what happens when SSO is enabled or disabled.

Prerequisites

• SSO enabled and working (see SSO Introduction and Setup)
• The SSOADMIN account created and in the Admins group

How Internal Passwords Work with SSO

xAssets uses SQL Server authentication for database-level access, which requires every user to have an internal password. This password is completely separate from the user's SSO credentials:

• SSO users never see or know their xAssets internal password. The system generates an encrypted hash automatically when the user account is created.
• The SSO login flow authenticates the user with the identity provider, then uses the internal password transparently to establish the SQL Server session.
• Users cannot change their internal xAssets password through the SSO flow -- it is managed by the system.

Password Management When Enabling SSO

When SSO is first enabled, all existing user passwords must be reset so they are stored in the encrypted format required by the SQL authentication system. This happens automatically as part of the SSO enablement process.

Warning: When SSO is disabled (e.g., for troubleshooting), password saving is also disabled. Any password resets or new accounts created while SSO is off will need their passwords reset again when SSO is re-enabled.

Auto-Creating Users

If your entire workforce is registered with the SSO provider, xAssets can automatically create local user records when users log in for the first time:

1. The user authenticates with the identity provider
2. xAssets receives the user's identity (typically their email address)
3. If no matching xAssets user record exists, the SSOADMIN account creates one automatically
4. The new user is assigned to a default user group (see Azure User Groups for group mapping options)

This means new employees can start using xAssets immediately after being added to the identity provider, with no manual account creation required.

Importing Users from the Identity Provider

For providers that support directory synchronisation (Azure AD, OKTA), you can also run a bulk import to populate the xAssets Custodian table with all users from the identity provider. This is separate from auto-creation:

• Auto-creation creates xAssets user accounts when users log in
• Directory import populates the Custodian table (the people/contact directory) with user details like names, departments, and email addresses

See the integration pages for each provider:

• Azure Active Directory
• OKTA User Import

Related Articles

• SSO Introduction and Setup — enabling SSO
• Azure User Groups — controlling which user group new SSO users are assigned to
• Users — managing user accounts