This guide explains how to auto-provision user accounts in Discourse when an external authentication provider is enabled, so that users are created automatically without being shown a signup page.
Required user level: Administrator
Auto-provisioning user accounts with external authentication
When you connect Discourse to an external identity provider via DiscourseConnect, the OpenID Connect plugin, the OAuth2 Basic plugin, SAML, or another authentication provider, Discourse creates user accounts on first login. By default, it presents a signup page before creating the account, even when the provider has already supplied all the required details (email, username, and name).
Auto-provisioning removes this extra step. With the right settings enabled, Discourse silently creates the account in the background and logs the user straight in, providing a seamless experience.
Enabling auto-provisioning
To skip the signup step, you need to enable the auth skip create confirm site setting. This setting is located in the Admin > All site settings > Login page.
Optional: Enable the override settings
These settings tell Discourse to trust the values provided by your identity provider and use them directly, without asking the user to review them. Navigate to the Admin > All site settings > Login page and check the following:
| Setting | Description |
|---|---|
auth overrides username |
Uses the username from the provider directly on every login, and prevents the user from changing it locally. Applies to all authentication providers. |
auth overrides email |
Uses the email from the provider directly on every login, and prevents the user from changing it locally. Applies to all authentication providers. |
auth overrides name |
Uses the full name from the provider directly on every login, and prevents the user from changing it locally. Applies to all authentication providers. |
auth overrides avatar |
Uses the avatar from the provider directly on every login, and prevents the user from changing it locally. Applies to all authentication providers. |
The OAuth2 Basic, OpenID Connect, and SAML plugins also have their own plugin-specific override settings (
oauth2 overrides email,openid connect overrides email,saml sync email). These work the same way as the globalauth overrides emailsetting, but apply only to their respective provider. For most setups, the global settings above are sufficient.
FAQs
Do these settings apply to all authentication plugins, or only DiscourseConnect?
The auth skip create confirm and auth overrides * settings apply to all external authentication providers, including DiscourseConnect, OpenID Connect, OAuth2 Basic, SAML, and any other plugin built on Discourse’s authentication framework.
Can I pre-create accounts for users before they log in?
Yes, but only when using DiscourseConnect. Use the sync_sso API route as described in Sync DiscourseConnect user data with the sync_sso route.
What is the difference between DiscourseConnect and the OAuth2/OIDC plugins?
DiscourseConnect is Discourse’s own custom SSO protocol. It gives your external site full control over Discourse accounts, including the ability to push group membership, override fields, and pre-create accounts via API. The OAuth2 and OpenID Connect plugins use industry-standard protocols, which makes them easier to connect to third-party identity providers with minimal configurations.
Additional resources
- Setup DiscourseConnect - Official Single-Sign-On for Discourse (sso)
- Discourse OpenID Connect (OIDC)
- Discourse OAuth2 Basic
Last edited by @Discourse 2026-04-03T23:04:25Z
Check document
Perform check on document: