User Provisioning

Administer user roles for secure and compliant access control within PandaDoc.

You can configure an identity provider (IdP) for PandaDoc in your organization to gain these benefits:

  1. Single Sign-On: Authenticate your users only once, and store their credentials in the IDP approved by your organization.
  2. Identity and Access Management: You can quickly onboard (and, in the case of SCIM, offboard) members of your oganization in PandaDoc, with appropriate roles and workspace access.


Single Sign-On (SSO) is a method that allows users to authenticate once and gain access to multiple applications without the need to re-authenticate for each one separately.

If your configure SSO for PandaDoc, your users will be prompted to enter their work email and then redirected to your SSO provider.

Identity and Access Management (IAM)

JIT and SCIM are both ways of creating users and therefore cannot be used at the same time.

SCIM creates a user when they are added to the group in the SSO provider while JIT creates a user only after they have logged in PandaDoc for the first time. SCIM deletes a user when a user is deleted in the IdP, while with JIT, an admin has to remove such user manually on the Admin dashboard.


PandaDoc defaults to SCIM if a provider allows this, as this allows all users to be assigned a license at time they are added to the provider.

PandaDoc only supports SCIM 1.1 (any provider that supports SCIM 1.1). SCIM 2.0 is not supported.

We support creation and deletion of users. Update or read operations are not supported.

Configure SSO and IAM

Contact PandaDoc support team to configure SSO for your organization. Only Enterprise accounts are eligible for SSO configuration.

Learn more about the process and prerequisites: SSO implementation.

Provisioning workspace settings

To assign users to specific workspaces based on user characteristics such as role or license, PandaDoc has workspaces settings in the SSO setup.

You can only choose one option:

  1. All: all provisioned users will are assigned to all workspaces.
  2. Fixed: all provisioned users are be assigned to a specific workspace or a list of workspaces.
  3. Dynamic: users are assigned to a workspace based on their attributes set up in the identity management tool. Attributes can be mapped to a user role or license as needed.