In this article, we will explain what Just-In-Time (JIT) Provisioning is and how you can use it to automatically create user accounts through your Single-Sign-On connection.
Before proceeding, we recommend checking our guide on How to set up an Inbound SSO integration.
What is JIT
Just-In-Time or JIT provisioning is a method of automating user account creation for web applications. It uses the SAML (Security Assertion Markup Language) protocol to pass information from the identity provider (IDP) to the service provider (web application).
JIT is what allows your SSO connection to serve not only as a login, but as a registration method as well, without having to deal with extra setups.
What are the benefits of using JIT
Saves time. Instead of having to manually add new starters to the platform, the system will do this for you upon their first SSO login, based on the data you are already providing. If you are a large organization, automated processes are a must in order to make your day-to-day tasks easier.
Reduces risk of errors. When preparing and processing files manually, spelling or other human errors can occur, resulting in incorrect details being uploaded which can sometimes prevent users from accessing the platform. Automated data transfers guarantee that we will use the exact employee details you hold on your internal systems.
Improves user experience. New starters can start using the platform as soon as you have added them to your employee database. They do not need to wait for their account to be created on the RG platform or do manual registrations. This also removes the ‘external’ feeling of our platform, reinforcing that this is a benefit, provided to your employees by your organization itself.
How to set up JIT
In order for JIT to function, we need to have an already established SSO connection between an identity provider and an application (in this case - the RG platform).
Provided that the SSO connection has been set up to transfer all the necessary data required to create an account, the initial login of each user will trigger the transfer of this data, resulting in an account being created for them on the RG system.
Therefore, if you wish to use JIT for user provisioning, you need to ensure that the attributes (fields) you will be passing through SSO include all mandatory and recommended details RG needs in order to create a user account:
Membership No. - Mandatory - Main unique identifier for the user
Email Address - Mandatory - Second identifier for the user, required in order to send an Welcome e-mail
First Name - Recommended - Needed for addressing system and communication to the user (system notifications and/or recognition)
Last Name - Recommended - Needed for addressing system and communication to the user (system notifications and/or recognition)
Date of Birth - Recommended - Another identifier for added security
How to enable JIT
The option to enable Just-In-Time provisioning is included in the Inbound SSO setup on the Integrations Dashboard in Reward Manager.
Deprovisioning (Removing Users)
Please, note that JIT can only provision (create) user accounts. It is therefore important to have a deprovisioning integration set in place. You can use either SFTP or SCIM (Provisoning) integrations to remove leavers - more information can be found in the following guides:
SFTP for Provisioning
How to set up Microsoft Azure for Provisioning