Skip to main content

Just-In-Time (JIT) Provisioning

Just-In-Time (JIT) Provisioning automatically creates or updates user accounts in Identity Broker when they sign in via a Federated Identity Provider.

Workflow

  1. User Authenticates: User logs in with an external IDP (e.g., Okta).
  2. Token Receipt: Identity Broker receives an ID token from Okta containing claims (email, name, groups).
  3. Account Lookup: The broker checks if an account with this sub or email exists.
  4. Provision/Update:
    • New User: A new account is created with the profile data from the token.
    • Existing User: The account profile is updated with the latest data from the IDP (if sync is enabled).

Configuration

JIT settings are configured per Federated Identity Provider. You can control:

  • Enable/Disable: Turn JIT on or off.
  • Attribute Mapping: Define which IDP claims map to which local user attributes.
  • Group Sync: Automatically assign users to groups based on IDP group claims.