You want to automatically create user accounts in your Notion workspace when employees sign in through your company identity provider. Notion supports SAML Just-In-Time provisioning, which eliminates manual user creation and reduces administrative overhead. This article explains what JIT provisioning does, the prerequisites required, and the exact steps to configure it in your Notion workspace. By the end, you will have a working setup that provisions users automatically on their first SAML login.
Key Takeaways: SAML Just-In-Time Provisioning in Notion
- Settings & Members > Settings > Authentication: Enable SAML SSO and toggle on Just-In-Time provisioning to auto-create users.
- Identity Provider attribute mapping: Map the NameID or email attribute to the Notion user email field for correct account creation.
- Workspace Owner role requirement: Only workspace Owners can enable SAML and JIT provisioning; Members and Guests cannot.
What Is SAML Just-In-Time Provisioning and Why Use It
SAML Just-In-Time provisioning, often called JIT provisioning, is a feature that creates a user account in Notion the moment a person authenticates through your identity provider for the first time. Without JIT, you must manually invite each user via email or use SCIM provisioning. JIT removes that step. When a new employee signs in using your company SSO portal, Notion checks if the user exists. If the user does not exist, Notion creates a new workspace member account using the identity attributes from the SAML assertion, typically the email address and display name.
JIT provisioning works only after SAML SSO is enabled on your workspace. It requires that your identity provider sends a valid SAML assertion containing at least the user’s email address. Notion assigns the new user the default member role. You cannot assign Owner or Admin roles through JIT — those must be set manually after account creation. JIT is ideal for organizations that want a zero-touch onboarding experience and do not need to pre-configure user permissions or groups before the first login.
Prerequisites for Enabling JIT Provisioning
Before you start, confirm you meet these requirements:
- You are a workspace Owner. Only Owners can access authentication settings.
- Your Notion workspace is on a Business or Enterprise plan. JIT is not available on Free or Plus Buttons plans.
- You have an identity provider that supports SAML 2.0, such as Okta, Azure AD, OneLogin, or Google Workspace.
- Your identity provider is configured to send the email address in the SAML NameID or an attribute named
email. - SAML SSO is already enabled and tested with at least one existing user before you turn on JIT.
Steps to Enable SAML Just-In-Time Provisioning in Notion
Follow these steps to turn on JIT provisioning in your Notion workspace. The process assumes SAML SSO is already configured. If you have not set up SAML SSO, complete that setup first.
- Open workspace settings
Open Notion and navigate to Settings & Members in the left sidebar. Then click Settings at the top of the page. - Go to the Authentication section
In the Settings page, scroll down to Authentication. This section contains all SAML SSO and provisioning options. - Locate the Just-In-Time provisioning toggle
Under the SAML SSO configuration, you will see a toggle labeled Just-In-Time provisioning. If the toggle is grayed out, confirm that SAML SSO is enabled and that you are a workspace Owner. - Turn on the toggle
Click the toggle to switch it to the On position. A confirmation dialog appears. Click Turn On to confirm. - Verify the attribute mapping in your identity provider
Log in to your identity provider’s admin console. Ensure the SAML attribute mapping sends the user’s email address to Notion. In most providers, you map the NameID or a custom attribute namedemail. Notion uses this value to create the new user account. - Test JIT provisioning with a new user
Ask a colleague who does not have a Notion account in your workspace to sign in through your company SSO portal. They should be able to access Notion immediately. Verify in Settings & Members > People that a new member appears.
Common Mistakes and Limitations to Avoid
JIT provisioning is straightforward, but several pitfalls can break the setup. Review these issues before you deploy.
JIT toggle is disabled or grayed out
If the toggle is unavailable, check two things. First, confirm you are a workspace Owner. Second, verify that SAML SSO is enabled. JIT provisioning requires SAML SSO to be active. If SAML SSO is not set up, complete the SSO configuration first, then return to the JIT toggle.
New user cannot sign in after JIT is enabled
When a user attempts to sign in and receives an error, the most common cause is an incorrect SAML attribute mapping. Open your identity provider and confirm that the email attribute is mapped to the NameID or to an attribute named email. Notion does not accept other attribute names for JIT provisioning. Also verify that the user exists in your identity provider and that they are assigned to the Notion application.
User is created with the wrong role
JIT provisioning always creates users with the Member role. You cannot change this default behavior. If a user needs Owner or Admin access, a workspace Owner must manually change their role after the account is created. Plan for a post-provisioning step if you require elevated permissions.
Existing users are not affected
JIT provisioning only applies to users who do not already have a Notion account in your workspace. Existing users continue to sign in normally. JIT does not update or overwrite existing user attributes such as display name or email.
SAML SSO Only vs SAML with JIT Provisioning: Key Differences
| Item | SAML SSO Only | SAML with JIT Provisioning |
|---|---|---|
| User creation method | Manual invitation via email or SCIM | Automatic on first SAML login |
| Time to first login for new user | Requires admin to send invite and user to accept | Immediate after admin enables JIT |
| Default role for new users | Set during invitation (Member or Guest) | Always Member |
| Identity provider attribute mapping | Not required for account creation | Requires email attribute mapping |
| Workspace plan requirement | Business or Enterprise | Business or Enterprise |
After enabling JIT provisioning, test the flow with a new user who has never accessed the workspace. Confirm that the user appears in the People list with the correct email address and the Member role. If you need to assign Owner or Admin permissions, do that manually right after the account is created. For large organizations, combine JIT provisioning with SCIM for group-based permission management, though SCIM is a separate configuration.