Skip to main content

Automatic Provisioning

Automatic provisioning lets HostedScan create user accounts and add them to your organization on their first successful SAML login. When enabled, anyone who authenticates through your Identity Provider is automatically granted access — no manual invitation required.

How It Works

When a user completes SAML authentication and automatic provisioning is enabled:

  1. HostedScan looks up the user by email. If no account exists, one is created.
  2. If the user is not already a member of the organization, they are added with the Read Only role.
  3. The user's active organization is set to your organization, and they are logged in.

If automatic provisioning is disabled, only users who have already been invited to your organization can log in via SAML. Users who authenticate through your IdP but have not been invited will be rejected with an error message directing them to contact their administrator.

Reaching the SAML Login

For automatic provisioning to take effect, the user must complete a SAML authentication flow with your IdP. There are two ways a new user can reach that flow:

Domain verification ensures that users with a verified-domain email are directed to your SAML IdP when they log in to HostedScan. This is the recommended approach because it works automatically — users do not need a special link or instructions.

For example, if you verify example.com:

  • OAuth logins (Google, GitHub, Microsoft, DigitalOcean): Any user with an @example.com email who clicks "Sign in with Google" (or another OAuth provider) will be redirected to your SAML login flow instead.
  • Existing users requesting a magic link: The email they receive will include a link to log in through your IdP. Users who are only members of SAML organizations will only see SAML login links.
note

A brand-new user who requests a magic link before they have any HostedScan account will receive a standard sign-in email without SAML links. For first-time users, direct them to start the login flow from your IdP or set up domain verification for your account with automatic provisioning enabled.

2. Through Your Identity Provider

Users can also start the SAML flow directly from your IdP. The user opens your IdP dashboard (e.g., Okta, Microsoft Entra, OneLogin) and clicks the HostedScan application tile. This initiates the SAML flow, and automatic provisioning adds them to your organization.

This path is useful when:

  • You have not yet verified your domain.
  • You want to onboard a new user who has never logged in to HostedScan before.
  • Your users are accustomed to launching applications from the IdP portal.

Enabling Automatic Provisioning

  1. Navigate to SettingsSAML SSO in HostedScan.
  2. Toggle Automatic Provisioning on.
  3. Save your SAML settings.

Default Role

All automatically provisioned users are added with the Read Only role. Organization administrators can change a user's role after they have been provisioned.

Best Practices

  • Verify your domain to automatically direct users to your SAML IdP and prevent them from bypassing SSO through OAuth providers.
  • Control access from your IdP by assigning only the appropriate users or groups to the HostedScan application. Automatic provisioning trusts your IdP's authentication — anyone who can authenticate will be added.
  • Combine with SAML enforcement to ensure all organization members authenticate through your IdP and cannot bypass SSO with other login methods.