Today, I will be giving brief idea about JIT Provision for SAML. Just-in-Time says to create regular and portal users on the first time they try to log in. This eliminates the need to create user accounts in advance. Let’s say employees have joined the company recently and you don’t want to create those users in salesforce. When they log in with single sign-on, their account is automatically created for them, eliminating the time and effort with on-boarding the account.
In technical,With just-in-time provisioning, the end user identity is provisioned (created or updated) at the service provider the first time the end user tries to access the service provider’s service—without the need for prior identity provisioning activity between the identity provider and the service provider.
Also with just-in-time provisioning, the identity provider can include attributes needed by the service provider for provisioning the end user. These attributes can include information such as the user name, first name, last name, and email address, and are packaged in a security token such as a Security Assertion Markup Language (SAML) assertion. The identity provider sends this SAML assertion to the service provider when the end user accesses the service provider as part of a single sign-on. If no match exists for the presented user name, the service provider creates a new account with the end user attributes contained in the SAML assertion. The service provider also immediately grants access to the requested services to the end user.
If a match is found and an account does exist for the end user, the service provider updates the account according to the attribute information in the SAML assertion. A wide variety of attributes are supported (for example, a profile ID can be specified for new or existing accounts); therefore, the federated business partners have fine-grained control over the account creation and update process.
This is enhanced version of Federated SSO wherein you can just make login and user Creation/Updation takes place. In use case, we will be making login call and user creation of a standard/community user.
I have set up the configuration in salesforce as below while making a call from AXIOM
I have enabled User Provisioning and used Standard JIT handler, we will talk about Custom JIT later on.
Below is the parameters I am passing through Axiom for creating Standard User.
As soon as this request will be sent to salesforce, it will create user and make a login call in salesforce.
Similarly, I make a login call for community. We need to change the Recipient URL to the Community Login URL generated automatically in SSO settings and below is the format of sending request.
SAML Request generated and it created the user in into the org and logged into the Community as below.
The similarly the request will be sent from third party to salesforce customer portal.
Key Notes:
- Recipient URL should be mentioned correctly.
- Parameters in Additional Attributes should not be ended with “;”
- Fed ID mentioned in Axiom should be unique.
- The user which got created with Created by as “Automated Process”
- JIT handler attribute mentioned here.
- Here is the guide for Just-in-Time Provisioning for Communities
- Here is the guide for Just-in-Time Provisioning for Portals
- How system matches user in salesforce is mentioned here.
- JIT provisioning errors details.
Although there is too much to learn in JIT Provisioning, here I am giving you basic concepts so as to learn easily and understand it.
Vineet Goel Cloud Evangelist 