Just In Time Provisioning¶
What is JIT provisioning?¶
Just-in-Time (JIT) provisioning is a method of automating user account creation in real-time at the point of federated authentication. This means that when a user attempts to log in to an application for the first time via a trusted identity provider, JIT provisioning can be triggered to communicate the user's information from the identity provider to the application where the user account needs to be created.
JIT provisioning happens in the middle of an authentication flow. You can create users on the fly, without having to create user accounts in advance. This can be configured using an identity and access management mediator such as MWARE IAM.
How it works¶
Once JIT provisioning is configured for a particular application, the following process takes place.
-
User attempts to log in to the application although they do not already have a user account dedicated to that application.
-
The application initiates the authentication request.
-
The user gets redirected to MWARE IAM.
-
MWARE IAM redirects the user to a trusted external identity provider for authentication.
-
If the user is successfully authenticated, the identity provider returns a successful authentication response including user attributes to MWARE IAM.
-
Upon receiving a successful authentication response, MWARE IAM creates (provisions) the user to the internal userstore using the user attributes received with the authentication response. A user account for that user is now created in MWARE IAM as well.
Using JIT provisioning saves time and cost as the provisioning is automated and identity admins do not need to manually set up accounts for each new user.
Info
Optionally, you can also set up JIT provisioning to provision the new users persisted in MWARE IAM to the external system as well using outbound provisioning.
JIT provisioning is configured for a particular identity provider. Whenever you associate an identity provider with an application for outbound authentication, if JIT provisioning is enabled for that particular identity provider, the users from the external identity provider will be provisioned into MWARE IAM's internal userstore. You can also pick the provisioning userstore that the users are created in.
Related topics