Just In Time (JIT) Provisioning
Just-In-Time (JIT) provisioning is a process in identity management and access control where users are dynamically created or updated at the moment of user authentication. Instead of having IT administrators pre-create users with associated roles and attributes, JIT provisioning generates users on-the-fly based on the information provided during the authentication process.
In the context of enterprise Single Sign-On (SSO), JIT provisioning ensures that users are created or updated in your Wristband application only when a user attempts to log in through the configured enterprise external identity provider. This approach streamlines user onboarding, reduces administrative overhead, and helps maintain accurate and up-to-date user information.
Enabling JIT Provisioning
JIT provisioning applies to Wristband's enterprise external identity providers (not social login providers). After creating an enterprise external identity provider in the Wristband dashboard, visit the Edit External Identity Provider Page to enable the JIT provisioning configuration.
Mapping External IDP Users
Wristband allows you to map both roles and user attributes from the external identity provider into Wristband.
Attribute Mapping
Attribute mapping in JIT provisioning refers to the dynamic transfer of user profile fields from an external identity provider to your Wristband application during user authentication and provisioning. This ensures that relevant user profile information (such as name, email, etc.) is accurately synchronized in real-time between the external identity provider and your Wristband application. This process streamlines user onboarding, maintaining consistency in user profile fields across different systems and applications for an organization.
Wristband allows you to map the following user profile fields from enterprise external identity providers into Wristband users:
birthdate
email
fullName
givenName
familyName
phoneNumber
More on attribute mapping coming soon...
Role Mapping
Role mapping in JIT provisioning refers to associating user roles within an organization's identity provider to specific roles and permissions in your Wristband application. This ensures that users receive the appropriate level of access to your application based on their organizational roles.
Refer to the Role Mapping documentation to learn more.
Email Verification
SSO providers typically do not guarantee the verification of the email profile field as part of their core functionality. The responsibility for email verification falls to Wristband. When users undergo JIT provisioning during login to your application, Wristband validates that the incoming email address value from the external identity profile has been verified within the external identity provider's system.
If the email is verified in the external IDP system, Wristband will set the user's emailVerified
field to true
during JIT provisioning. Otherwise, the user will be required to verify their email.
Email Verification Workflow Policy
If email verification is required during JIT provisioning, users can complete it in two ways:
- Entering a one-time password on the login screen.
- Completing the login process and receiving a verification email in their inbox for confirmation outside the login workflow.
You can configure the email verification method on the Workflow Policies Page in the Wristband dashboard under the Enterprise IDP Login (SSO)
workflow value.
JIT Provisioning Workflow
Here is a high-level flow of how JIT provisioning works in Wristband:
For more details on how JIT provisioning works within the context of the External IDP Login Workflow, refer to the Login Workflow documentation.
Updated 4 months ago