User Provisioning

At Slite we support Just-in-Time provisioning via authenticated email or 3rd party authentication providers. This means that accounts may be automatically created or suspended when they try to use Slite.

Just-in-Time (JIT) provisioning

This feature is available in all Slite plans.
With JIT, Slite admins no longer need to create accounts manually for each user to provide access. Instead, user accounts are automatically created the first time users try to log in to Slite.

This is achieved by enabling "Auto-join", which can be found via Workspace Settings > Security":

Once you activate this feature, you can provide a list of email domains (comma separated) that will be allowed to automatically create accounts once verified.

Account verification can be achieved either using a 3rd party authentication provider, or a confirmation code sent via email for email and password authentication.


Enforcing Google Workspace Authentication

In many cases, it may be undesirable to have users authenticating with an email and password combination, and you'd prefer to enforce existing authentication logic through Google Workspace.

Via "Workspace Settings > Security" it is possible to enforce Google for SSO. This means that users will not be offered the possibility of creating an account via email address and password.

This feature works in parallel with JIT Provisioning, meaning you will also need to activate Auto-join by domain to achieve Enforced Google Workspace SSO JIT Provisioning.


OpenID SSO

This feature is only available on our Premium and Enterprise Plans.
OpenID Connect works in a similar way to SAML, but utilizes the more modern oAuth 2.0 Protocol. 3rd party providers such as Okta, OneLogin, auth0 and Azure are able to support this authentication mechanism.

Teams on the Premium and Enterprise Plans can configure this via the Workspace Settings > Security" section.

If you enable "Auto-join with your provider", then you will also be able to achieve JIT Provisioning in parallel with OpenID. This means any user who successfully sign-in with your OpenId provider would be automatically created on Slite.


Deprovisioning

In a similar fashion to JIT Provisioning, we also support "lazy" JIT deprovisioning.

Security considerations

When you configure your Slite organization to use provisioning (via Google or OpenID), the authentication provider grants access to Slite for a short period of time (default to 1 hour and may be configurable on some OpenID providers).

Each time this grant period is expired, Slite asks the authentication provider if the current member is still granted to use Slite. This means that if a user is suspended in Google Workspace or your OpenID Provider, they may still have access to Slite for up to 1 hour if they currently have an existing session open.

As soon as the authentication provider denies access, the member is automatically archived and access to Slite will no longer be available.

If you want to immediately block access to the member, you can still delete the account in Slite by accessing the Members & guests section in the workspace settings.


Accounts suspended in SSO continue to appear in Slite member list

As we are doing "lazy" deprovisioning, an account removed from your authentication provider may still appear in your member list. This account will only be automatically removed if the user attempts to authenticate with Slite.

After 30 days of account inactivity, we will query your authentication provider and automatically archive accounts that are no longer valid.

If accounts have been wrongly archived they would be automatically re-provisioned on the next user sign-in, no data is lost.


Re-provisioning

If a user's account has been suspended and then reactivated in your authentication provider, the next time that user attempts to authenticate with Slite, their account will be re-provisioned and unarchived rather than creating a new account.


Deleting members

When you try to delete a member, you may encounter the following warning.
This means the member you are trying to remove still exists in your authentication provider and would be able to be automatically re-provisioned they try to sign-in on Slite.

If the person is still at the company but does not use Slite anymore you can temporarily disable the user provisioning in Slite. You can find a toggle for this in your settings. You are then able to remove the users, even though they are still part of your Google account. Once you are done with the cleanup you can enable the user provisioning in Slite again.

If the user has left the company, you just need to delete the user from your authentication provider.