HMP Active Directory Integration
Before configuring SSO, you should understand the difference between the concepts of SSO and of HMP roles/permissions. The relationship between user/group objects and their roles/permissions is defined in the HMP database. There is a separate relationship for connecting user objects to SSO identifiers. The SSO identifier that is passed back from AD FS to HMP is the User Principal Name (UPN). That UPN is checked against the current list of users in HMP's internal database to see what roles/permissions the user has, or what groups he/she is a member of, in order to give them a specific level of access to HMP.
So, how does this HMP internal database get populated? Regardless of whether or not SSO is enabled, the user database is populated by (1) creating users manually in HMP, or by (2) connecting to an LDAP or Active Directory database. The latter is a prerequisite to establishing SSO connectivity.
The HMP server and AD have a direct integration. This method of collecting user objects and matching them with roles and permissions is a technical limitation of HMP, and is separate from SSO.
With SSO there is no direct exchange of information between the service provider (HMP) and identity provider. The web browser acts as an intermediary for all such exchanges. HMP does not store any authentication or other sensitive information. It is only via the browser SAML exchanges that user information (in this case, only the UPN) is obtained and verified. HMP does not store any user passwords in its internal database.
This also holds true for the basic Active Directory connection supported on HMP. It is just the authentication component that changes when SSO is enabled (where authentication is achieved via an identity provider). During a standard Active Directory login (when SSO is not enabled), the user's login credentials are entered on an HMP screen, but HMP is not capturing or storing those credentials — they are being sent as part of an LDAP connection to an LDAP server (as configured in the HMP's settings). It is the LDAP server that is performing the authentication and then returning similar user data to HMP (only the user object and "member of" permissions).
Whether SSO is enabled or disabled, there is a separate call to AD to say "what are the member attributes for this user object?".
If AD is not enabled (i.e. if you are manually creating users/groups in HMP), then it is not possible to enable SSO. In order for SSO to work, HMP must always go through that AD connection to ask the AD server what the "member of" attributes are for a given authenticated user. The data for that user always remains in the control of the AD domain.
Note
HMP does not exploit the full capability of SSO, focusing only on the user authentication portion.