Provisioning Settings
Provisioning settings determine how new people gain access to your organization. As your team scales, you can move from manual invitations to automatic access based on email domain or your corporate identity provider.
All provisioning settings are in Settings → Provisioning, and changes require the Owner role.
Membership Strategies
Your organization operates under exactly one active membership strategy at a time.
Manual Invitation
Available on: All plans
The default for every organization. New members join only when an Admin or Owner explicitly sends them an invitation. No one can join without being invited.
Best for: Organizations that want strict, individually-reviewed access control.
Domain Matching
Available on: Pro and Enterprise
When Domain Matching is active, any person with an email address at one of your allowed domains is automatically added as a Member the first time they sign in to Formael. No invitation needed.
Example: You add acme.com to your allowed domains list. Anyone who signs in with an @acme.com email address automatically joins your organization with the Member role.
How to enable:
- Go to Settings → Provisioning
- Select Domain Matching
- Add at least one allowed email domain (e.g.
acme.com) - Save your strategy
Managing allowed domains:
Under the Domain Matching strategy, you'll see an Allowed Email Domains section. You can add or remove domains at any time. People who already joined via a removed domain retain their membership — removing a domain only affects future logins.
Best for: Companies where everyone at acme.com should have Formael access, and the team is managed through email domain rather than individual invitations.
SSO / JIT Provisioning
Available on: Enterprise only
When SSO JIT (Just-In-Time) Provisioning is active, members are automatically added to your organization the moment they successfully authenticate through your configured identity provider. There are no invitations to manage and no domain lists to maintain — your corporate directory is the source of truth.
Requirements before activating:
- Your organization is on the Enterprise plan
- At least one identity provider is configured and active (see Enterprise SSO)
How to enable:
- First, configure an identity provider in Settings → Enterprise SSO
- Return to Settings → Provisioning
- Select SSO / JIT Provisioning
- Save
If you haven't configured an IdP yet, a prompt will guide you to the SSO settings page.
Best for: Enterprises using Okta, Azure AD, Google Workspace, or another corporate IdP where team membership is managed centrally.
Switching Strategies
You can switch strategies at any time. Existing memberships are never affected — the strategy change only controls how new members can join.
| From | To | Effect |
|---|---|---|
| Manual → Domain Matching | Allowed (Pro+) | Future logins from allowed domains auto-join |
| Manual → SSO JIT | Allowed (Enterprise) | Future SSO logins auto-join |
| Domain Matching → Manual | Allowed | Auto-join stops; existing members keep access |
| SSO JIT → Manual | Allowed | JIT provisioning stops; existing SSO members keep access |
Plan Comparison
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
| Manual invitations | ✓ | ✓ | ✓ |
| Domain matching | — | ✓ | ✓ |
| SSO / JIT provisioning | — | — | ✓ |
Provisioning strategy availability is governed by your plan's feature flags, not seat counts. View full plan details →