If you configure single sign-on (SSO) with your Fusion Application and need a user to access FDI who isn't available in the source Fusion Application, what is the recommended approach?

When using SSO, authentication is handled by the identity provider, but access rights are controlled within each product’s own identity domain. FDI uses its own identity domain for authorization, so a user must exist there to receive FDI privileges. If a needed user isn’t present in the source Fusion Application, provisioning a dedicated user in the identity domain that serves the FDI instance ensures the user can be authenticated via SSO and granted the correct FDI access. Creating a Fusion user and hoping it carries FDI rights won’t place that user in the FDI domain and could leave them without the necessary permissions. Disabling SSO is not appropriate; the correct approach is to create a user with the required FDI access in the FDI identity domain to align provisioning, authentication, and authorization properly.