Skip to main content
LangSmith provides flexible controls for managing how users join your organization when using Single Sign-On (SSO) authentication. You can independently enable or disable both Just-In-Time (JIT) provisioning and user invites to match your organization’s security and onboarding requirements. When SSO is enabled, you have two independent settings: JIT provisioning automatically adds users when they sign in via SSO, while invites allow administrators to invite users manually before they can access the organization. Configure these settings in any combination to control your user onboarding workflow. This page explains how the settings work and how to configure them.

Settings

You can control the following two settings independently to manage how users join your organization.

JIT provisioning

The jit_provisioning_enabled setting controls automatic user provisioning. When enabled, users who authenticate via your SSO provider are automatically added to your organization and assigned to default workspaces with a default role. For more details, refer to Configure default SSO settings. When disabled, users must be explicitly invited or added via SCIM before they can access the organization.

Invites

The invites_enabled setting controls manual user invitations. When enabled, organization administrators can send invitations to users before they sign in. Invited users can claim their invite when signing in via SSO. When disabled, manual invitations are not allowed and users can only join via JIT provisioning or SCIM.

Update settings

You can update these settings in the LangSmith UI or with the LangSmith API:
In the LangSmith UI:
  1. Navigate to SettingsOrganizationAccess and SecurityGeneral.
  2. Toggle Enable JIT provisioning and Allow invites as needed.
  3. Configure SSO default workspaces and roles in SettingsOrganizationSSO Configuration.
Consider the following if you are using LangSmith self-hosted:
  • The JIT provisioning and the invites settings only apply to the default organization (identified by default_sso_provision=true). Other organizations must use invites in self-hosted.
  • The environment variable SELF_HOSTED_JIT_PROVISIONING_ENABLED can globally override the JIT provisioning setting. When set to false, JIT provisioning is disabled for all organizations regardless of their individual settings.
  • For additional self-hosted user management customizations, refer to Customize user management.

How user access works

When a user attempts to sign in via SSO, LangSmith follows this decision flow:
  1. User authenticates with SSO provider.
  2. LangSmith checks if user already has organization access: 
    ├─ YES → User is signed in
└─ NO → Continue to step 3
  3. Check if invites are enabled and a pending invite exists: 
    ├─ YES → Provision into organization with invite's organization role; provision into workspaces if invite included workspaces
└─ NO → Continue to step 4
  4. Check if JIT provisioning is enabled: 
    ├─ YES → Automatically provision user with default SSO workspaces/role
└─ NO → Deny access (user must be added via SCIM or by administrator)
When both JIT provisioning and invites are enabled, invites take precedence. If a user has a pending invitation, they are added with the invite’s contents, not the default SSO settings.

Configuration scenarios

Open access (both enabled)

Configuration:
  • ✓ JIT Provisioning enabled
  • ✓ Invites enabled
Behavior:
  • Users can sign in immediately via SSO and are auto-provisioned.
  • Admins can send invites to assign specific roles or workspaces.
  • Invited users get the invite configuration; non-invited users get default SSO configuration.
Example: 
User alex@company.com signs in via SSO:
  - No invite exists → Added to default workspaces with Viewer role

User billy@company.com signs in via SSO:
  - Invite exists for Editor role in "Production" workspace → Added only to "Production" workspace with Editor role (invite takes precedence)

JIT only (invites disabled)

Configuration:
  • ✓ JIT Provisioning enabled
  • ✗ Invites disabled
Behavior:
  • All users who authenticate via SSO are automatically provisioned.
  • Admins cannot send invitations.
  • All new users receive the same default workspaces and role.

Invite only (JIT disabled)

Configuration:
  • ✗ JIT Provisioning disabled
  • ✓ Invites enabled
Behavior:
  • Users must be invited before they can access the organization.
  • Users without invites are denied access even with valid SSO credentials.
  • Fine-grained control over who can access the organization.
Example: 
User alex@company.com signs in via SSO:
  - Has pending invite → Successfully joins organization

User billy@company.com signs in via SSO:
  - No invite → Access denied (must request invite from administrator)

Closed access (both disabled)

Configuration:
  • ✗ JIT Provisioning disabled
  • ✗ Invites disabled
Behavior:
  • SSO users cannot join the organization automatically.
  • Invitations cannot be sent.
  • Users must be provisioned through SCIM or directly by an administrator once they are already part of the organization via SCIM.

User access quick reference

JIT enabledInvites enabledPending inviteResult
YesInvite claimed (invite configuration used)
NoAuto-provisioned (default SSO configuration)
N/AAuto-provisioned (default SSO configuration)
YesInvite claimed
NoAccess denied - must be invited
N/AAccess denied - must use SCIM or admin

Configure default SSO settings

When JIT provisioning is enabled, configure default settings for new users:
  1. Default workspace role. Choose the workspace role that users receive when automatically provisioned. For details on what each role can do, refer to Organization and workspace operations. Options include:
    • Viewer: Read-only access
    • User: Standard access
    • Editor: Can modify resources
    • Admin: Full workspace control
  2. Default workspaces. Select one or more workspaces that users are automatically added to. Users receive the same role in all selected workspaces. To configure:
    1. Go to SettingsOrganizationSSO Configuration.
    2. Set Default workspace role.
    3. Select Default workspaces.
    4. Save your configuration.

SCIM integration

If your organization uses SCIM (System for Cross-domain Identity Management), users can be automatically provisioned and managed through your identity provider. SCIM provides an additional mechanism for user management that works alongside JIT and invite settings.
SCIM group membership overrides manually assigned roles or roles assigned via JIT provisioning. If you’re using SCIM, consider disabling JIT provisioning to avoid conflicts.
Edit this page on GitHub or file an issue.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.