Introduction
In this article, we will explain what just-in-time (JIT) provisioning is and how you can use it to automatically create user accounts through your single-sign-on (SSO) connection. Before proceeding, we recommend checking our guide on How To Set Up an Inbound SSO Integration.
What Is JIT
Just-in-time, or JIT provisioning, is a method of automating user account creation for web applications. It uses the SAML (Security Assertion Markup Language) protocol to pass information from the identity provider (IDP) to the service provider (web application).
JIT is what allows your SSO connection to serve not only as a login, but as a registration method as well, without having to deal with extra setups.
What Are the Benefits of Using JIT
Saves time. Instead of having to manually add new starters to the platform, the system will do this for you upon their first SSO login, based on the data you have already provided. If you are a large organization, automated processes are a must in order to make your day-to-day tasks easier.
Reduces risk of errors. When preparing and processing files manually, spelling or other human errors can occur, resulting in incorrect details being uploaded, which can sometimes prevent users from accessing the platform. Automated data transfers guarantee that we will use the exact employee details you hold on your internal systems.
Improves the user experience. New starters can start using the platform as soon as you have added them to your employee database. They do not need to wait for their account to be created on the Reward Gateway (RG) platform or to perform registrations manually. This also removes the external feeling of our platform, reinforcing that this is a benefit, provided to your employees by your organization itself.
How To Set Up JIT
In order for JIT to function properly, we need to already have established an SSO connection between an identity provider and an application (in this case - the RG platform). Provided that the SSO connection has been set up to transfer all the necessary data required to create an account, the initial login of each user will trigger the transfer of this data, resulting in an account being created for them on the RG system.
Therefore, if you wish to use JIT for user provisioning, you need to ensure that the attributes (fields) you will be passing through SSO include all mandatory and recommended details RG needs in order to create a user account, as shown in the table below.
| Membership No. | Mandatory | Main unique identifier for the user |
| Email Address | Mandatory | Second identifier for the user, required in order to send a welcome e-mail |
| First Name | Recommended | Needed for addressing system and communication to the user (system notifications and/or recognition) |
| Last Name | Recommended | Needed for addressing system and communication to the user (system notifications and/or recognition) |
| Date of Birth | Recommended | Another identifier for added security |
How To Enable JIT
The option to enable just-in-time provisioning is included on the Integrations Dashboard in Reward Manager and the steps on how to do this can be found in this article: How To Set Up an Inbound SSO Integration.
Deprovisioning (removing users)
Please note that JIT can only provision (create) user accounts. It is therefore important to have a deprovisioning integration in place. You can use either SFTP or SCIM (provisioning) integrations to remove leavers - more information can be found in the following guides:
How To Set Up an SFTP Provisioning
How To Set Up Microsoft Azure for Provisioning
Comments
0 comments
Please sign in to leave a comment.