Recommended setup for SSO with Tenants

Hey there Camunda experts,

We have a use-case for SSO with Camunda thus no users nor groups are present in Camunda’s DB. We would like to use tenants within a single process engine.

We’ve noticed that unless we use Transparent Access Restrictions for Tenants any query made to grab process definitions or tasks for workflows deployed within a tenant comes back empty no matter how we set the Authorization rules (allow ALL for the user or for a group the user belongs to). Is this expected?

Thus, without setting the tenants for the user on the default Identity Service, the user can only see tasks and processes that are global (not assigned to any tenant). In fact, below query would return an empty result set:
GET http://localhost:8080/engine-rest/task?tenantIdIn=demo
Accept: application/json
Content-Type: application/json
###

However, once the tenants have been set for the user on the default Identify Service, all works as expected.

Does that mean we must use Transparent Access Restrictions for Tenants while implementing SSO and not using Camunda’s DB to store the usernames and groups?

What is the recommended way to implement the relationship between the user and tenants in this scenario?