If you have an identity authentication system, you do not need to recreate users in the SP system and can configure federated identity authentication to allow users in your system to access cloud resources directly through SSO.
Federated identity authentication is required for browser-based WebSSO or non-browser-based API calling access to the cloud system.
API calling has the SP-initiated and IdP-initiated federated identity authentication modes. Users can select a mode supported by the enterprise IdP system.
The enterprise IdP is the IdP system of an enterprise management system. Users authenticated by their enterprise IdP cannot access the cloud system directly.
The enterprise administrator has to create accounts separately in the enterprise management system and the cloud system.
Users have to use different accounts to log in to the enterprise management system and cloud system.
Any user authenticated by the enterprise IdP can access the cloud system directly. The enterprise administrator does not need to create separate users in the cloud system.
The enterprise administrator does not need to create separate users in the cloud system, reducing the cost of personnel management.
Users can access both the enterprise management system and the cloud system simply by logging in to the enterprise management system.