Account setup

Manual deprovisioning

Manual account creation via Webflow sign up form with username and password authentication only.

‍

Manual deprovisioning by workspace admin in workspace dashboard.

Small teams without IT support, minimal security needs

Manual deprovisioning

Manual account creation via Webflow form with username and password authentication with second factor (authenticator app code).

‍

Manual deprovisioning by workspace admin in workspace dashboard.

Small teams without IT support who want improved security without strict enforcement (end-users set up 2FA themselves, no workspace enforcement available today).

Manual deprovisioning

Manual account creation but secure authentication via identity provider (e.g., Okta) for end-users assigned to Webflow app in IdP. Users authenticate via identity provider (e.g., Okta) or username/password.

‍

Manual deprovisioning by workspace admin in workspace dashboard.

Teams with IT support who want SSO security while leaving user management mostly to workspace admins.

‍

This setup is also helpful for teams working with smaller service providers or short-term contractors — especially those who don’t specialize in Webflow and don’t have their own workspace (a requirement for the guest role). These users often need to be added as full workspace members, and if SSO is enforced they’d be blocked. Allowing username/password login ensures they can still access the client workspace.

Manual deprovisioning

Manual account creation but users authenticate exclusively via identity provider (no username/password login).

‍

Manual deprovisioning by workspace admin in workspace dashboard

Security-conscious teams that want to enforce strict IdP-based access control but still prefer seat management and invitations to be handled by workspace admins.

‍

This setup also works well for teams when collaborating with established service providers or Webflow agencies that have their own workspace and join their clients workspaces as guests. Since SSO-only restrictions don’t apply to guest user types, these users can still access the workspace without issue. However, if the team is working with smaller service providers or contractors who don’t have their own workspace, SSO-only is not recommended for this reason (see above).

SCIM deprovisioning recommended

Accounts auto-created on first IdP login; authentication via identity provider only. 

‍

Centralized user removal via SCIM in IdP. Requires SSO.

Security-focused teams that want automated user provisioning and deprovisioning via IdP, shifting seat assignment responsibilities to IT. Want instant, centralized user removal.

SCIM deprovisioning recommended

IT provisions and manages users directly via IdP before users ever log in; authentication via identity provider only. 

‍

Centralized user removal via SCIM in IdP. Requires SSO.

Highly secure teams requiring complete IT-managed provisioning, deprovisioning, and precise alignment between IdP and Webflow access. Want instant, centralized user removal.