Docs
[IAM]

Hosted Onboarding

Hosted Onboarding is the PLTFRMS-managed identity and access provisioning flow that allows organisations to securely onboard users, organisations, and applications into a Realm.

It extends Hosted Login by not only handling authentication, but also initial setup, provisioning, and structured access configuration.

What is Hosted Onboarding?

Hosted Onboarding is a guided, realm-aware flow that helps:

  • Create and configure organisations
  • Invite and provision users
  • Assign initial roles and groups
  • Register applications (clients)
  • Establish access boundaries within a realm

It is designed to simplify the initial setup of IAM for both customers and partners.

How Hosted Onboarding works

A typical onboarding flow includes:

  1. A new organisation or realm is created (or activated)
  2. IAM initiates the Hosted Onboarding flow
  3. The customer configures initial structure:
    • Organisation setup
    • User invitations
    • Role and group assignments
  4. Applications (OAuth2 clients) are registered
  5. Initial access policies are applied
  6. The environment becomes operational

All steps are executed within the IAM security and realm context.

Realm-based onboarding

Hosted Onboarding is always bound to a Realm.

This ensures:

  • Onboarding is fully isolated per customer
  • No cross-tenant access or configuration leakage
  • Each realm defines its own identity structure
  • Policies and defaults can differ per realm

Each onboarding flow configures a complete IAM environment inside that realm.

Organisation setup

During onboarding, organisations are typically created or configured.

This includes:

  • Defining organisation structure
  • Setting access boundaries
  • Assigning initial administrators
  • Linking users to organisational context

Organisations become the operational layer within the realm.

User provisioning

Hosted Onboarding supports multiple user provisioning methods:

  • Invitation-based onboarding
  • Email-based account creation
  • Admin-created users
  • External identity federation (via OpenID Connect)

Users are immediately integrated into the IAM structure upon onboarding completion.

Role and group assignment

As part of onboarding, initial access control is configured:

  • Groups are created for organisational structure
  • Roles are assigned to groups or users
  • Permissions are indirectly granted via roles
  • Default access policies are applied

This ensures that access is properly structured from the start.

Application (client) setup

Hosted Onboarding also supports application registration:

  • OAuth2 clients are created per realm
  • Redirect URIs and authentication flows are configured
  • Scope and permission access is defined
  • Integration with Hosted Login is established

This allows applications to immediately use IAM after onboarding.

Security and control

Hosted Onboarding is designed with strict security principles:

  • All actions are executed within realm boundaries
  • No cross-realm provisioning is possible
  • Access is audited and traceable
  • Role-based access controls apply during onboarding
  • Sensitive configuration is protected by IAM policies

Why Hosted Onboarding matters

Hosted Onboarding ensures that:

  • IAM environments are structured correctly from the start
  • Customers can quickly deploy secure identity setups
  • Manual configuration overhead is reduced
  • Security and access control are enforced consistently
  • Realms are fully operational after initial setup

It provides a controlled and guided way to bring new organisations into the PLTFRMS IAM ecosystem.