With currently added users, will anything in their account change when enabling SSO ?
Nothing will changed for current users except for being redirected to the SSO login page when they are logging in. If they already have a valid session they will not get redirected to the SSO login page.
How will enabling SSO affect current users? Will I be able to have a mixed authentication environment with users from my domain and cloud authentication as well?
Mixed authentication is not supported. Once SSO is enabled, all current users will be redirected to your SSO provider.
Will existing users need to select the SSO option and if so will they need the “team name”?
No - existing users do not need to click on SSO Login. New users that are not in Rhombus also do not need to click on SSO login as long as the team name matches the new users email domain. If there is a user in your SSO that is not part of your domain, then only the SSO Login option needs to be selected for manual discovery.
Can we use SSO only and not existing relationships to the AD group at all (if they are an active user in the SSO provider and in the Rhombus Group, their privilege's in the Rhombus Console would be managed in console?)
You can manage roles from Rhombus console but note that if there is a matching group that is passed to Rhombus during user authentication, the users role on Rhombus will get updated automatically.
How do we deal with users that are not on the customers domain but need to have access to Rhombus?
Customers can add third party partners and send them temporary account login urls with expiration (Settings -> User Management -> Partners -> Add Third-Party Partner)
For users added as Partners in my domain, can they use SSO somehow?
Yes - you will need to add the email addresses of the users added in Partners in the SSO provider. For example, if the customer adds firstname.lastname@example.org in the @abccompany.com in the SSO provider, then email@example.com will use the SSO Login button to put in the email firstname.lastname@example.org, team name abccompany and get authenticated with customers SSO.
What if the customer doesn’t want to use AD groups, will that impact the integration or will users still be able to authenticate with domain credentials and their roles be managed manually in Rhombus?
If the customers does not want to use AD groups, that is totally fine. As longs as the customer has not assigned created matching Role with names to Users assigned groups in AD, they can manually assign Roles to users in Rhombus console.
What does this 'Error: saml message invalid' error message mean?
The error message is an indication of incorrect SAML configuration on the customer IDP side. If the customer can login fine with SAML, that error will not show up. My guess is that error message is from when the customer had SAML not setup completely.