> ## Documentation Index > Fetch the complete documentation index at: https://docs.wandb.ai/llms.txt > Use this file to discover all available pages before exploring further. # Advanced IAM configuration > Configure advanced IAM options for W&B with environment variables for SSO, session length, OIDC, and LDAP settings. In addition to basic [environment variables](../env-vars), you can use environment variables to configure advanced IAM options for your [Dedicated Cloud](/platform/hosting/hosting-options/dedicated-cloud) or [Self-Managed](/platform/hosting/hosting-options/self-managed) instance. Use these variables to customize SSO behavior, session expiration, OIDC and LDAP integration, and other identity-related settings to match your organization's security and access requirements. Choose any of the following environment variables for your instance depending on your IAM needs. | Environment variable | Description | | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `DISABLE_SSO_PROVISIONING` | Set this to `true` to turn off user auto-provisioning in your W\&B instance. | | `SESSION_LENGTH` | To change the default user session expiry time, set this variable to the desired number of hours. For example, set `SESSION_LENGTH` to `24` to configure session expiry time to 24 hours. The default value is 720 hours. | | `GORILLA_ENABLE_SSO_GROUPS_CLAIMS` | When you use OIDC-based SSO, set this variable to `true` to automate W\&B team membership in your instance based on your OIDC groups. You must also add a `groups` claim to the user OIDC token, formatted as a string array of all team names the user is part of. | | `GORILLA_LDAP_GROUP_SYNC` | If you use LDAP-based SSO, set it to `true` to automate W\&B team membership in your instance based on your LDAP groups. | | `GORILLA_OIDC_CUSTOM_SCOPES` | If you use OIDC-based SSO, you can specify additional [scopes](https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes) that the W\&B instance requests from your identity provider. These custom scopes don't change the SSO functionality. | | `GORILLA_OIDC_SECRET` | If you use OIDC-based SSO and your IdP requires an OIDC Client Secret, set this variable to the secret. | | `GORILLA_USE_IDENTIFIER_CLAIMS` | If you use OIDC-based SSO, set this variable to `true` to enforce the username and full name of your users using specific OIDC claims from your identity provider. If set, ensure that you configure the enforced username and full name in the `preferred_username` and `name` OIDC claims respectively. Usernames can only contain alphanumeric characters along with underscores and hyphens as special characters. | | `GORILLA_DISABLE_PERSONAL_ENTITY` | When set to `true`, turns off [personal entities](/support/models/articles/what-is-the-difference-between-team-and-). Prevents creation of new personal projects in their personal entities and prevents writing to existing personal projects. | | `GORILLA_DISABLE_ADMIN_TEAM_ACCESS` | Set this to `true` to restrict Organization or Instance Admins from self-joining or adding themselves to a W\&B team, ensuring that only Data and AI personas have access to the projects within the teams. | | `WANDB_IDENTITY_TOKEN_FILE` | For [identity federation](/platform/hosting/iam/identity_federation/), the absolute path to the local directory where Java Web Tokens (JWTs) are stored. | W\&B advises caution and understanding all implications before you enable some of these settings, such as `GORILLA_DISABLE_ADMIN_TEAM_ACCESS`. Contact your W\&B team with any questions.