Guides

Just In Time (JIT) Provisioning

Suggest Edits

Just-In-Time (JIT) provisioning is a process in identity management and access control where users are dynamically created or updated at the moment of user authentication. Instead of having IT administrators pre-create users with associated roles and attributes, JIT provisioning generates users on-the-fly based on the information provided during the authentication process.

In the context of enterprise Single Sign-On (SSO), JIT provisioning ensures that users are created or updated in your Wristband application only when a user attempts to log in through the configured enterprise external identity provider. This approach streamlines user onboarding, reduces administrative overhead, and helps maintain accurate and up-to-date user information.

Enabling JIT Provisioning

JIT provisioning applies to Wristband's enterprise external identity providers (not social login providers). After creating an enterprise external identity provider in the Wristband dashboard, visit the Edit External Identity Provider Page to enable the JIT provisioning configuration.

Mapping External IDP Users

Wristband allows you to map both roles and user attributes from the external identity provider into Wristband.

Attribute Mapping

Attribute mapping in JIT provisioning refers to the dynamic transfer of user profile fields from an external identity provider to your Wristband application during user authentication and provisioning. This ensures that relevant user profile information (such as name, email, etc.) is accurately synchronized in real-time between the external identity provider and your Wristband application. This process streamlines user onboarding, maintaining consistency in user profile fields across different systems and applications for an organization.

Wristband allows you to map the following user profile fields from enterprise external identity providers into Wristband users:

  • birthdate
  • email
  • fullName
  • givenName
  • familyName
  • phoneNumber

More on attribute mapping coming soon...

Role Mapping

Role mapping in JIT provisioning refers to associating user roles within an organization's identity provider to specific roles and permissions in your Wristband application. This ensures that users receive the appropriate level of access to your application based on their organizational roles.

Refer to the Role Mapping documentation to learn more.

Email Verification

SSO providers typically do not guarantee the verification of the email profile field as part of their core functionality. The responsibility for email verification falls to Wristband. When users undergo JIT provisioning during login to your application, Wristband validates that the incoming email address value from the external identity profile has been verified within the external identity provider's system.

If the email is verified in the external IDP system, Wristband will set the user's emailVerified field to true during JIT provisioning. Otherwise, the user will be required to verify their email.

Email Verification Workflow Policy

If email verification is required during JIT provisioning, users can complete it in two ways:

  • Entering a one-time password on the login screen.
  • Completing the login process and receiving a verification email in their inbox for confirmation outside the login workflow.

You can configure the email verification method on the Workflow Policies Page in the Wristband dashboard under the Enterprise IDP Login (SSO) workflow value.

JIT Provisioning Workflow

Here is a high-level flow of how JIT provisioning works in Wristband:

JIT Provisioning Flow Chart

For more details on how JIT provisioning works within the context of the External IDP Login Workflow, refer to the Login Workflow documentation.

Updated 3 months ago