# Account Approve/Deny Workflow

In an environment where KCM users may be automatically created from an SSO system, such as SAML or OpenID or PIV/CAC, administrators may wish to more tightly control whether those users are allows to use KCM. To facilitate this, KCM provides administrators an approve/deny workflow  to decide whether an individual user should be allowed to authenticate with KCM using that SSO method.

## Configuring the KCM user creation workflow

To require approval for users signing in with a particular authentication method, use the `require-account-approval` property (or, for Docker, the `REQUIRE_ACCOUNT_APPROVAL` environment variable). This property accepts a comma-separated list of the names of all authentication methods that should require administrator approval. KCM supports the following authentication types:

<table data-header-hidden><thead><tr><th width="381"></th><th></th></tr></thead><tbody><tr><td><strong>Authentication Method</strong></td><td><strong>Name</strong></td></tr><tr><td>Encrypted JSON</td><td><code>json</code></td></tr><tr><td>LDAP</td><td><code>ldap</code></td></tr><tr><td>OpenID</td><td><code>openid</code></td></tr><tr><td>SAML</td><td><code>saml</code></td></tr><tr><td>SSL/TLS Client Authentication (PIV/CAC)</td><td><code>ssl</code></td></tr></tbody></table>

For example, to require administrator approval for SAML and LDAP, you would specify:

```
require-account-approval: saml, ldap
```

The following examples shows a `docker.yaml` file with the SAML Authentication method enabled: &#x20;

```yaml
 guacamole:
        image: keeper/guacamole:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            SSL_PRIMARY_URI: "https://kcm.example.net"
            SSL_CLIENT_AUTH_URI: "https://*.kcm.example.net"
            SSL_SUBJECT_BASE_DN: "ou=test department,o=u.s. government,c=us"
            POSTGRESQL_AUTO_CREATE_ACCOUNTS: "true"
            REQUIRE_ACCOUNT_APPROVAL: "saml"
```

Once you have successfully configured and setup the authentication method, the corresponding SSO login method will be displayed on the login screen of the application. In the following image, the instance has been configured to use the `saml` authentication method:

<figure><img src="https://3357255970-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fb7weUpu7VBcMnESSH8vG%2Fuploads%2F3LoQge9deTqFNvWdSYk2%2Fimage.png?alt=media&#x26;token=fdb66430-5c80-4ccc-a651-a52eadd99e17" alt=""><figcaption><p>Login Screen for SAML Authentication</p></figcaption></figure>

Users with at least one authentication method that needs to be approved or denied will be shown in the user list with a “Pending Login Request” badge next to their username:

<figure><img src="https://3357255970-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fb7weUpu7VBcMnESSH8vG%2Fuploads%2Ff5rZIWAvPMCMrpqCEMcp%2Fimage.png?alt=media&#x26;token=5e6c1812-1d03-499e-8c6e-8df9129f1bfb" alt=""><figcaption></figcaption></figure>

Administrators can approve/deny access for that user via that authentication method by editing the user account in KCM:

<figure><img src="https://3357255970-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fb7weUpu7VBcMnESSH8vG%2Fuploads%2FKwy7XqS5bHXhW5L1OY3C%2Fimage.png?alt=media&#x26;token=d1b72864-0d5e-4b19-bcb3-81b4da282032" alt=""><figcaption></figcaption></figure>