At Slite we support Just-in-Time provisioning via authenticated email or 3rd party authentication providers. This means that accounts may be automatically created or suspended when they try to use Slite.
Just-in-Time (JIT) Provisioning
With JIT, Slite admins no longer need to create accounts manually for each user to provide access. Instead, user accounts are automatically created the first time users try to log in to Slite.
To enable:
Click your workspace logo in the top-left corner.
Select Settings from the menu, then go to the Security section.
Toggle the switch next to Enable auto-join.
Enabling auto-join.
Once you activate this feature, you can provide a list of email domains (comma separated) that will be allowed to automatically create accounts once verified.
Account verification can be achieved either using a 3rd party authentication provider, or a confirmation code sent via email for email and password authentication.
Enforcing Google Workspace Authentication
If you want to restrict access to Google SSO only (no email/password login):
Click your workspace logo in the top-left corner.
Select Settings from the menu, then go to the Security section.
Scroll all the way down and click Enable next to Google Workspace authentication.
Enabling Google Workspace authentification.
When this is enabled, users will not be able to create an account via email address and password.
This feature works in parallel with JIT Provisioning, meaning you will also need to enable auto-join.
In a similar fashion to JIT Provisioning, we also support "lazy" JIT deprovisioning.
Security Considerations
When you configure your Slite organization to use provisioning (via Google or OpenID), the authentication provider grants access to Slite for a short period of time (default to 1 hour and may be configurable on some OpenID providers).
Each time this grant period is expired, Slite asks the authentication provider if the current member is still granted to use Slite. This means that if a user is suspended in Google Workspace or your OpenID Provider, they may still have access to Slite for up to 1 hour if they currently have an existing session open.
As soon as the authentication provider denies access, the member is automatically archived and access to Slite will no longer be available.
If you want to immediately block access to the member, you can still delete the account in Slite by accessing the Members & guests section in the workspace settings.
Accounts suspended in SSO continue to appear in Slite member list
As we are doing "lazy" deprovisioning, an account removed from your authentication provider may still appear in your member list. This account will only be automatically removed if the user attempts to authenticate with Slite.
After 30 days of account inactivity, we will query your authentication provider and automatically archive accounts that are no longer valid.
If accounts have been wrongly archived they would be automatically re-provisioned on the next user sign-in, no data is lost.
Re-Provisioning
If a user's account has been suspended and then reactivated in your authentication provider, the next time that user attempts to authenticate with Slite, their account will be re-provisioned and unarchived rather than creating a new account.
Deleting Members
When you try to delete a member, you may encounter the following warning.
Add a caption...
This means the member you are trying to remove still exists in your authentication provider and would be able to be automatically re-provisioned when they try to sign in to Slite.
If the person is still in the company but does not use Slite anymore you can temporarily disable the user provisioning in Slite. You can find a toggle for this in your settings. You are then able to remove the users, even though they are still part of your Google account. Once you are done with the cleanup you can enable the user provisioning in Slite again.
If the user has left the company, you just need to delete the user from your authentication provider.