Just In Time (JIT) Provisioning
Automatically create or update Wristband users at the moment they log in through an enterprise identity provider.
Just-In-Time (JIT) provisioning creates or updates a user's account automatically at the moment they authenticate. When a user logs in through a configured enterprise external identity provider, Wristband uses the roles, groups, and profile data in the SSO assertion to create or update their user record on the spot, cutting manual onboarding work and keeping user data current.
Enabling JIT Provisioning
JIT provisioning applies to Wristband's enterprise external identity providers, not social login providers.
To enable it, navigate to Tenant View in the Wristband dashboard and select Identity Providers -> Enterprise from the side navigation. Select the enterprise IdP you want to configure, then go to the User Syncing section to enable the Just-in-time (JIT) provisioning toggle.

The User Syncing section of an enterprise IdP, showing the Just-in-time (JIT) provisioning toggle.
Mapping External IDP Users
Wristband allows you to map both roles and user attributes from the external identity provider into Wristband.
Attribute Mapping and Syncing
Attribute mapping defines which SAML attributes correspond to fields on the Wristband user, such as name and email. Once mapped, Wristband syncs these values into the user's profile during authentication and JIT provisioning. OIDC identity providers skip mapping and sync directly from standard claims.
Refer to the Attribute Mapping and Syncing documentation to learn more.
Role Mapping
Role mapping associates a user's roles or security groups in an organization's identity provider with roles in your Wristband application, so users get the right level of access based on their organizational role.
Refer to the Role Mapping documentation to learn more.
Email Verification
SSO providers typically don't guarantee that the email profile field is verified. That responsibility falls to Wristband. During JIT provisioning, Wristband checks whether the incoming email address was verified by the external identity provider. If it was, Wristband sets the user's emailVerified field to true. Otherwise, the user must verify their email.
Email Verification Workflow Policy
If email verification is required during JIT provisioning, users can complete it in two ways:
- Entering a one-time password on the login screen.
- Completing login and confirming through a verification email sent to their inbox.
You can configure the email verification method via Enterprise IdP Login Workflow Policies in the Wristband dashboard. Refer to the Login Workflow documentation to learn more.
JIT Provisioning Workflow
Here is a high-level flow of how JIT provisioning works in Wristband:

JIT provisioning flow, from external IdP login through user provisioning, email verification, and session creation.
If the user doesn't already exist for that IdP and tenant, Wristband provisions them first. If email verification is required, the user completes it via one-time code or email before the session is created.
For more detail on how JIT provisioning fits into the External IdP Login Workflow, refer to the Login Workflow documentation.
Updated 15 days ago