Question: We have many users in our SSO directory.  Who can login to ClayHR?  Employees?  Contracts?  Friends?  Guests?
The way this works is as follows:
‍Suppose you have 11 "users" "active" in ClayHR, with names: A1, A2.. A10, and B11[Please note the 11th user with a slightly different name B11.]
Suppose you have 100 users in your SSO (Azure AD, GSuite, Okta, etc.) with names: A1, A2..  A100.
Suppose now you enable "Login using SSO" in your ClayHR settings.  [To enable, you only need to toggle the correspdong SSO slider to "On" position - no other details are needed.]
Then, only 10 (A1.. A10) can login to ClayHR using SSO - These are 10 users that are in common between the two systems.
Other 90 cannot connect since they have no record in ClayHR.  
These 90 users have no license/cost implications in ClayHR.Your 11th user B11 - can still login to BM, using username and password, but cannot leverage SSO, since they don't exist in SSO directory.
If you choose to allow login via SSO only, and hide the ClayHR login form (in your SSO settings), then the user B11 will NOT be able login, since they are not in SSO directory.
‍What is the best way to manage this?

• Create every user in your SSO directory, as you normally do.  Generally, your SSO directory should be a super set of your ClayHR directory.
• Create only those users in ClayHR, who need access to ClayHR.
• Enable Login using SSO, and disable the ClayHR login, so that you can manage the access directly within your SSO directory.