At Slite we support Just-in-Time provisioning via authenticated email or 3rd party authentication providers. This means that accounts may be automatically created or suspended when they try to use Slite.

Just-in-Time (JIT) provisioning

This feature is available in all Slite plans, including the Free Plan.

With JIT, Slite admins no longer need to create accounts manually for each user to provide access. Instead, user accounts are automatically created the first time users try to log in to Slite.

This is achieved by activating Auto-join by domain, which is available in the Settings Panel, under Team Settings.

Once you activate this feature, you can provide a list of email domains (comma separated) that will be allowed to automatically create accounts once verified.

Account verification can be achieved either using a 3rd party authentication provider, or a confirmation code sent via email for email and password authentication.


Enforcing Google Workspace SSO Authentication

This feature is only available in the Slite Standard or Premium Plans.

In many cases, it may be undesirable to have users authenticating with an email and password combination, but rather to enforce existing authentication logic through Google Workspace.

Available in the Admin Panel under the Authentication section, it is possible to enforce Google for SSO. This means that users will not be offered the possibility of creating an account via email address and password.

This feature works in parallel with JIT Provisioning, meaning you will also need to activate Auto-join by domain to achieve Enforced Google Workspace SSO JIT Provisioning.


OpenID SSO

This feature is only available on our Premium and Enterprise Plans.

OpenID Connect works in a similar way to SAML, but utilizes the more modern oAuth 2.0 Protocol. 3rd party providers such as Okta, OneLogin, auth0 and Azure are able to support this authentication mechanism.

Teams on the Premium and Enterprise Plans can configure this in the Admin Panel under the Authentication section.

If you enable Auto-join with your provider, then you will also be able to achieve JIT Provisioning in parallel with OpenID. This means any user who successfully sign-in with your OpenId provider would be automatically created on Slite.


Deprovisioning

In a similar fashion to JIT Provisioning, we further support "lazy" JIT Deprovisioning.

Security considerations

When you configure your Slite organization to use provisioning (via Google or custom OpenId), the authentication provider grants access to Slite for a short period of time (default to 1 hour and may be configurable on some OpenId providers).

Each time this grant period is expired, Slite asks the authentication provider if the current member is still granted to use Slite. This means that if a user is suspended in Google Workspace or your OpenID Provider, they may still have access to Slite for up to 1 hour if they currently have an existing session open.

As soon as the authentication provider denies access, the member is automatically archived and access to Slite will no longer be available.

If you want to immediately block access to the member, you can still delete the account in Slite by accessing the Members section in the Admin Panel.

Accounts suspended in SSO continue to appear in Slite member list

As we are doing "lazy" deprovisioning, an account removed from your authentication provider may still appear in your member list. This account will only be automatically removed if the user attempts to authenticate with Slite.

After 30 days of account inactivity, we will query your authentication provider and automatically archive accounts that are no longer valid.


Re-provisioning

If a user's account has been suspended and then reactivated in your authentication provider, the next time that user attempts to authenticate with Slite, their account will be re-provisioned and unarchived rather than creating a new account.


Deleting members

When you try to delete a member, you may encounter the following warning.

This means the member you are trying to remove still exists in your authentication provider and would be able to be automatically reprovisioned they try to sign-in on Slite.

You have to remove/suspend him/her in your provider first.

Did this answer your question?