Manage users and organization memberships via directory sync providers.
This feature is currently in preview. Please reach out to support@workos.com or via your team’s WorkOS Slack channel if you would like Directory Provisioning enabled.
Directory provisioning gives an IT admin full control over access to an organization’s resources, without relying on manual entry. Users from a directory are pre-provisioned and managed by their Identity Provider.
A Directory Sync integration will need to be configured for every domain, i.e. organization, that wants to source users and organization memberships via directory provisioning. Directories can be set up via the WorkOS Dashboard with Setup Links. You can also integrate the Admin Portal with your app to generate links to configure directories.
The following directory sync providers are supported with directory provisioning:
If you are interested in directory provisioning support from a directory sync provider not listed above, please reach out to support@workos.com or via your team’s WorkOS Slack channel.
When directory provisioning is enabled and a directory sync provider integration is set up, domain-captured users from the directory sync provider will be provisioned and added as members to the organization.
Users with email addresses that do not match the organization’s domain will be sent an invitation to join the organization. On successful authentication, an organization membership will be added for these users.
Once directory provisioning is set up for an organization, any additional users, updates to current users, and de-provisioning events will flow through to user management.
Domain-captured users will be fully managed by the directory, and updates to attributes will supersede updates from SSO, the API or manually in the dashboard. Additionally, if a domain-captured user is de-provisioned in the directory, the corresponding user and organization membership will be deleted.
Users with email addresses that do not match the organization’s domain will not be fully managed by the directory, and SSO, API or manual updates in the dashboard will persist. Additionally, if these users are de-provisioned in the directory, only the organization membership will be deleted, and the user will remain.
Directory users need to have a primary email address to be provisioned in user management. So if the directory user is missing a primary email, they won't be provisioned. Additionally, if the primary email of a directory user is shared by another directory user, only one will be provisioned in user management, as emails are unique to user management users.