JIT Portal
Setup, onboard cloud providers, and request or manage temporary credentials from the JIT Portal.
Authentication & Login
Users with a SailPoint Entro user on the SailPoint Entro Platform can use the same login method to access JIT and request credentials. Then SailPoint Entro JIT portal uses the same roles which are configured in SailPoint Entro Portal → Settings → User Management.
Logging in
- Access the JIR Portal via
jit.<eval/app/tenant>.entro.security -
If it's your first login, you will be guided through a one-time setup.
Initial Setup
SailPoint Entro API key configuration
Upon your initial login, you must set up the SailPoint Entro API connection. This configuration is required only once for each tenant.
Why This Is Needed
The SailPoint Entro API allows the portal to identify employees, enabling it to populate the Owner field in JIT requests.
Setup Steps
- Enter the SailPoint Entro API URL (default:
https://api.entro.security) - Provide your SailPoint Entro API key
- Click Save
You can update the API key later via Settings → Organization.
Cloud Provider Setup
Before creating requests, connect at least one provider via Settings → Cloud Providers.
GitHub setup
Step 1: Create a GitHub App
- GitHub org → Settings → Developer settings → GitHub Apps.
- Click New GitHub App.
- Set an app name. Example:
EntroSec JIT. - Set a homepage URL.
- Uncheck Webhook → Active.
- Under Permissions, select the repo permissions you want to allow.
- Click Create GitHub App.
- Copy the App ID.
Step 2: Generate a Private Key
- In the app settings, scroll to Private keys.
- Click Generate a private key.
- A
.pemfile downloads.
You will paste the PEM contents into the portal.
Step 3: Install the App on Your Organization
- In the app sidebar, click Install App.
- Click Install next to your organization.
- Choose All repositories or select specific ones.
- Copy the Installation ID from the URL.
Format:
github.com/organizations/YOUR_ORG/settings/installations/INSTALLATION_ID
Step 4: Enter Credentials in the Portal
- Settings → Cloud Providers → Add GitHub.
-
Enter:
-
Label
-
App ID
-
Installation ID
-
Private key (PEM contents)
-
-
Click Test Connection and Create.
JIT request lifecycle
The request process
- A user creates a request in the portal or MCP.
-
Automation policies are evaluated.
-
Auto-decline first.
-
Auto-approve second.
-
Otherwise pending manual review.
-
-
Admin reviews pending requests.
- On approval, credentials are created and stored in the vault.
- Credentials are used until expiry.
-
On expiry, credentials become invalid.
Note
STS role sessions expire automatically. IAM Users and App Registrations should be revoked or deleted.
Available actions on requests
-
Approve: create credentials and store in the vault (admin only).
-
Reject: decline a pending request (admin only).
-
Rotate: generate new credentials.
-
Old versions stay in the vault.
-
Not available for GitHub.
-
-
Revoke: invalidate credentials before expiry.
- Not available for GitHub.
-
Delete NHI: delete the cloud identity and credentials.
Credential display
Credentials are displayed one time only at approval time.
-
Azure: client ID, client secret.
-
AWS IAM User: access key ID, secret access key.
-
AWS IAM Role: access key ID, secret access key, session token.
-
GitHub: installation token is stored as a repo secret.
After closing the modal:
-
Azure and AWS credentials are retrievable from the vault only.
-
GitHub tokens cannot be retrieved.
Automation policies
Configure policies in Settings → Automation.
Policy types
Auto-decline (evaluated first)
-
Instantly blocks dangerous conditions.
-
Should include a clear decline message.
Auto-approve (evaluated second)
-
Auto-provisions credentials for safe request patterns.
-
Can enforce max expiry. Example: max 7 days.
Configurable conditions
Azure
-
Allowed / blocked Graph API permissions.
-
Allowed / blocked RBAC roles.
AWS
-
Allowed / blocked IAM permissions.
-
Allowed / blocked managed policies.
GitHub
-
Allowed / blocked permissions.
- Note:
metadata:readis ignored for policy matching.
- Note:
-
Allowed / blocked repos and orgs.
All providers
-
Cloud config scope.
-
Priority (1–1000).
-
Employee scope (optional).
Wildcard matching is supported with *.
Evaluation order
- Auto-decline policies (highest priority first)
- Auto-approve policies (highest priority first)
- No match → manual review
Dashboard
The dashboard is the main view for JIT requests.
Filtering and search
-
Status filters: pending, approved, rejected, revoked.
-
Provider filters: AWS, Azure, GitHub.
-
Special filters: expiring soon, my requests.
-
Search: token name or description.
What each request shows
-
Token name and description.
-
Provider and NHI type.
-
Status.
-
Owner name and email.
-
Expiry.
-
Vault destination.
-
Available actions.
Tabs
-
All NHIs: all requests in the tenant.
-
My Requests: requests owned by the current user.
Troubleshooting
Request Is Pending
An admin may need to approve the request. Automation policies may not match your request.
Request Rejected
An auto-decline policy may have blocked permissions. Try narrower permissions or shorter expiry.
Credentials Are Missing
Credentials are shown once at approval time, after that, retrieve from the configured vault. GitHub tokens cannot be retrieved