# Account Approve/Deny Workflow

In an environment where KCM users may be automatically created from an SSO system, such as SAML or OpenID or PIV/CAC, administrators may wish to more tightly control whether those users are allows to use KCM. To facilitate this, KCM provides administrators an approve/deny workflow  to decide whether an individual user should be allowed to authenticate with KCM using that SSO method.

## Configuring the KCM user creation workflow

To require approval for users signing in with a particular authentication method, use the `require-account-approval` property (or, for Docker, the `REQUIRE_ACCOUNT_APPROVAL` environment variable). This property accepts a comma-separated list of the names of all authentication methods that should require administrator approval. KCM supports the following authentication types:

<table data-header-hidden><thead><tr><th width="381"></th><th></th></tr></thead><tbody><tr><td><strong>Authentication Method</strong></td><td><strong>Name</strong></td></tr><tr><td>Encrypted JSON</td><td><code>json</code></td></tr><tr><td>LDAP</td><td><code>ldap</code></td></tr><tr><td>OpenID</td><td><code>openid</code></td></tr><tr><td>SAML</td><td><code>saml</code></td></tr><tr><td>SSL/TLS Client Authentication (PIV/CAC)</td><td><code>ssl</code></td></tr></tbody></table>

For example, to require administrator approval for SAML and LDAP, you would specify:

```
require-account-approval: saml, ldap
```

The following examples shows a `docker.yaml` file with the SAML Authentication method enabled: &#x20;

```yaml
 guacamole:
        image: keeper/guacamole:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            SSL_PRIMARY_URI: "https://kcm.example.net"
            SSL_CLIENT_AUTH_URI: "https://*.kcm.example.net"
            SSL_SUBJECT_BASE_DN: "ou=test department,o=u.s. government,c=us"
            POSTGRESQL_AUTO_CREATE_ACCOUNTS: "true"
            REQUIRE_ACCOUNT_APPROVAL: "saml"
```

Once you have successfully configured and setup the authentication method, the corresponding SSO login method will be displayed on the login screen of the application. In the following image, the instance has been configured to use the `saml` authentication method:

<figure><img src="/files/SMYKhhlIWCd8ia6e5nIm" alt=""><figcaption><p>Login Screen for SAML Authentication</p></figcaption></figure>

Users with at least one authentication method that needs to be approved or denied will be shown in the user list with a “Pending Login Request” badge next to their username:

<figure><img src="/files/8C83Hiva4YiZ3c2ypFMy" alt=""><figcaption></figcaption></figure>

Administrators can approve/deny access for that user via that authentication method by editing the user account in KCM:

<figure><img src="/files/fAkWS01Y30LHGINIOhJe" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeper-connection-manager/authentication/account-approve-deny-workflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.