Auto-provisioning user accounts when SSO is enabled

:bookmark: This guide explains how to auto-provision user accounts in Discourse when an external authentication provider is enabled, so that users are created automatically without being shown a signup page.

:person_raising_hand: Required user level: Administrator

Auto-provisioning user accounts with external authentication

When you connect Discourse to an external identity provider via DiscourseConnect, the OpenID Connect plugin, the OAuth2 Basic plugin, SAML, or another authentication provider, Discourse creates user accounts on first login. By default, it presents a signup page before creating the account, even when the provider has already supplied all the required details (email, username, and name).

Auto-provisioning removes this extra step. With the right settings enabled, Discourse silently creates the account in the background and logs the user straight in, providing a seamless experience.


Enabling auto-provisioning

To skip the signup step, you need to enable the auth_skip_create_confirm site setting. This setting is located in the Admin > All site settings > Login page.

Optional: Enable the override settings

These settings tell Discourse to trust the values provided by your identity provider and use them directly, without asking the user to review them. Navigate to the Admin > All site settings > Login page and check the following:

Setting Description
auth_overrides_username Uses the username from the provider directly on every login, and prevents the user from changing it locally. Applies to all authentication providers.
auth_overrides_email Uses the email from the provider directly on every login, and prevents the user from changing it locally. Applies to all authentication providers.
auth_overrides_name Uses the full name from the provider directly on every login, and prevents the user from changing it locally. Applies to all authentication providers.
auth_overrides_avatar Uses the avatar from the provider directly on every login, and prevents the user from changing it locally. Applies to all authentication providers.

:information_source: The OAuth2 Basic, OpenID Connect, and SAML plugins also have their own plugin-specific override settings (oauth2_overrides_email, openid_connect_overrides_email, saml_sync_email). These work the same way as the global auth_overrides_email setting, but apply only to their respective provider. For most setups, the global settings above are sufficient.


FAQs

Do these settings apply to all authentication plugins, or only DiscourseConnect?
The auth_skip_create_confirm and auth_overrides * settings apply to all external authentication providers, including DiscourseConnect, OpenID Connect, OAuth2 Basic, SAML, and any other plugin built on Discourse’s authentication framework.

Can I pre-create accounts for users before they log in?
Yes, but only when using DiscourseConnect. Use the sync_sso API route as described in Sync DiscourseConnect user data with the sync_sso route.

What is the difference between DiscourseConnect and the OAuth2/OIDC plugins?
DiscourseConnect is Discourse’s own custom SSO protocol. It gives your external site full control over Discourse accounts, including the ability to push group membership, override fields, and pre-create accounts via API. The OAuth2 and OpenID Connect plugins use industry-standard protocols, which makes them easier to connect to third-party identity providers with minimal configurations.


Additional resources

Last edited by @southpaw 2026-07-13T15:50:28Z

Check documentPerform check on document:
2 Likes