SSO: AoT Provisioning using GraphQL API

Our GraphQL API can be utilised to provision Single Sign-On (SSO) accounts using the Ahead-of-Time (AoT) method via your Identity Provider (IdP) of choice.

Use Case

AoT provisioning can be used to associate a user's World Manager platform account with their IdP account in advanced/ahead of time. This is instead of the (default) Just-in-Time (JiT) provisioning method, which requires a user to map + bind their account upon first logging in via SSO.

Creating an Integration Client

Firstly, an Integration Client must be created within your World Manager platform specifically for use with our GraphQL API. See steps below:

Note: This can only be done using a ‘World Manager’ (top) level admin account.

1. Go to System → System Configuration

2. Click on Integration Clients

3. Click on New Integration Client

Important: Keep a copy of the Client ID and Client Secret values for use later.

4. In the Name field, enter a descriptive name

5. In the Scope field, tick the following checkbox options:

  • GraphQL API
  • SOAP API [optional]

Tip: We recommend selecting the “SOAP API” option as well, only if you plan on using it to obtain certain values, such as account UUIDs. Click here for more information on our SOAP API.

6. Click on Save

Making Requests

Generating an Access Token

To make requests using the GraphQL API, you will need to generate an access token, using the Client ID & Client Secret values copied from the Integration Client you created in the earlier steps.

Please refer to our SOAP API documentation for further information on how to generate an access token.

Note: The GraphQL API token endpoint for your platform is: <Your Platform URL>/graphql/v1. And the SOAP API token endpoint for your platform is: <Your Platform URL>/oauth/token.

API Request Values

The following values are required in order to bind an account using AoT provisioning:

  • accountUuid: The account's UUID value in your World Manager platform
  • authModule: The ‘nice name’, aka slug, of the IdP being used (e.g., microsoft, okta, onelogin etc.)
  • identifier: The value used as the ‘identifier’ in the SAML SSO configuration within your IdP (e.g., email address, username etc.)

Below is an example of a GraphQL request/payload to bind an account to an IdP identifier:

mutation {
updateUserAccountCredentials(input: {
accountUuid: "4771494f-5c77-4b3a-86dc-caafb8d80c45",
authModule: "microsoft",
identifier: ""
secret: ""
}) {

Important: Whilst the secret value is only optional, it must still be included in the request/payload - albeit with a blank value (as per the above example).

If you have any questions, or require further assistance, please contact our Support Team at

Was this article helpful?
0 out of 0 found this helpful