Regarding the SSO-enabled customer tenants, it is essential to manage user management at the IDP level, specifically within your AWS directory level.

To enable access to the platform, please ensure you add the user to the appropriate AWS group or grant the necessary permissions to the SSO application.
 
However, please note that there is a limitation in AWS SSO to pass dynamic user roles. To address this limitation, it is recommended that to configure a different IDP such as AzureAD, ADFS, or Okta.