Just-in-time Provisioning
Automatically provision users and memberships with JIT provisioning.
JIT provisioning automatically creates users and organization memberships when a user signs in for the first time. This feature allows users to access an organization’s resources without requiring manual invitations from the IT admin.
Users with verified email domains can be automatically added as members to an organization through the organization’s domain policy. This feature is useful when an application or organization wants to automatically group individuals into the same workspace based on their email domain.
When a user signs in for the first time, WorkOS detects when their email domain matches a verified domain of an organization and prompts the user to sign in through the organization’s IdP. This user is then automatically created and added as a member to the organization.
SSO JIT provisioning is not fully supported for guests whose email domain has not been verified by the organization.
For example, an IT admin may want to gate all contractor access through their IdP (to enable access revocation across applications) but the contractor prefers to use their own email address.
Instead, guest users must be invited to join the organization before they are able to sign in with the organization’s IdP.
Both automatic membership by email domain and SSO JIT provisioning are enabled by default but can be disabled in the WorkOS Dashboard.
Disabling these features may be useful if the IT admin prefers to manually control membership through invitations.