Skip to content

Configuring Just-in-Time Account Creation

Just-in-time (JIT) account creation, sometimes called JIT provisioning, creates an account on an app for a user as they attempt to authenticate for the first time. You can configure JIT account creation from your identity provider (IDP) into Identity Security Cloud so that users are able to continue working seamlessly in your SailPoint environment.

Contact SailPoint services before configuring JIT provisioning to ensure it's a good fit for your organization's needs.

To configure JIT account creation in Identity Security Cloud, you'll create a JIT source. You'll then create an identity profile so that accounts created on that JIT source will be converted to identities. Complete the final configurations in the service provider settings.

Once these configurations are complete, an identity will be created for any user lacking an account who authenticates into Identity Security Cloud using your identity provider. Their accounts can also be updated if their information in the identity provider changes.

Creating a Just-in-Time Source

  1. Go to Admin > Connections > Sources.

  2. Select + New.

  3. In Source Type, choose SAML Just-in-Time Source.

  4. Add the following:

    • A source name
    • A description of the source
    • An individual owner for the source
    • Optionally, a governance group to manage this source. This allows source sub-admins in this governance group to access and manage this source.
  5. Select Continue.

Adding Custom Attributes to a Source

You can add custom attributes to your Just-in-Time source to capture additional information about these identities.

All attributes in the source schema are automatically added to the Just-in-Time configuration panel in the Global menu. Refer to Configuring a JIT Source for Accounts for more information.

To create a custom attribute for your JIT source:

  1. In your Just-in-Time source, select Account Schema.

  2. Select Add New Attribute.

  3. Add the following information for each attribute you want to add:

    • Name - Enter a unique name for this attribute. This name must be in camel case (ex. camelCase).
    • Description - Optionally provide a description of this attribute.
    • Type - Choose whether the value of this attribute is a string, long, integer, or boolean.

    The Multi-Valued and Entitlement options are not supported.

  4. Select Save.

You can also do the following on the Account Schema page:

  • Edit an attribute by selecting its name.
  • Delete an attribute by selecting its name, then the Delete icon. The attributes id, firstName, lastName, and email can't be deleted, and deleting other default attributes is not recommended.

Creating an Identity Profile

Creating an identity profile allows you to generate identities from the accounts that are created on this source. Once a user has an identity, they can authenticate into Identity Security Cloud.

Follow the steps in Setting Up Identity Profiles to begin. Choose your JIT source in step 4 of this document.

Important

  • Ensure that all required identity attributes are mapped to required attributes on your JIT source so that identities can be created and users can authenticate.
  • By default, Identity Security Cloud only maps the identity profile's uid attribute to the source's id attribute. Best practices indicate that this should not be changed. If you want other identity attributes to be populated with values, you'll need to configure mappings for them in the identity profile.

Configuring a JIT Source for Accounts

Once you've created a Just-in-Time source and configured an identity profile associated with it, you can enable JIT provisioning into Identity Security Cloud.

Prerequisite:

  • Your identity provider is configured correctly to authenticate into SailPoint's cloud services.

Enabling Just-in-Time Account Creation:

  1. Go to Admin > Global > Security Settings and select Service Provider.

  2. In the Configure Just-in-Time Account Provisioning section, select the checkbox for Enable JIT Provisioning.

    To disable JIT provisioning, clear this checkbox.

  3. In the Select Source dropdown list, choose your Just-in-Time source.

    A list of the attributes configured for that source is displayed.

  4. In the Attribute Mappings section, in the field under each JIT source attribute, enter the name of the corresponding identity provider attribute.

    These attributes will be used to create an initial account and identity for the user who is authenticating.

    The attributes email, lastName, and firstName are always required. The identity attribute "id" is automatically mapped to the nameId provided by the SAML assertion. All other attributes are optional.

  5. Select Save.

The next time a user authenticates into Identity Security Cloud from your identity provider, but they don't have an account, one will be created for them. Usually, this account is created and functional within 15 seconds of their first authentication from their identity provider. If not, the user can refresh the page or try again later.

To confirm that JIT account creation is working as expected, verify that new accounts appear correctly in the account list.

Each time the user authenticates using this IDP, Identity Security Cloud will verify whether their firstName, lastName, email, or phone account attributes have changed. If they have, Identity Security Cloud will update their JIT source account and identity attributes.

However, if the IDP attributes that have changed are used in correlation, they can't be used to update an existing identity. Instead, Identity Security Cloud's correlation rules indicate that the account belongs to a new identity, and one is created.