Learn how to provision users in your app using Just-In-Time user provisioning.
Enable JIT provisioning to automatically create user accounts when they first authenticate via SSO.
This guide explores user provisioning strategies and offers a deep dive into SSO-based just-in-time (JIT) user provisioning.
User provisioning is the process of creating a user account with associated identity data in an application. The application needs to determine a unique identifier for an identity, create a unique account for that user, and link the identity profile attributes to that user’s account. There are many strategies to provision users in an app, but the main three are:
The type of provisioning needed depends on the app’s architecture and level of enterprise feature support:
| Strategy | Description | Usage |
|---|---|---|
| Self-registration | Users fill out a registration form to create an account in the app | For users that don’t have an SSO service, usually the first authentication mechanism built in an app |
| Pre-provisioning users | Use a service like Directory Sync to create users in the app | Required by large enterprises to automatically provision users |
| JIT provisioning | Create a user account when a user signs in via SSO for the first time | Leverage user identity from an SSO provider to create an account in your app |
JIT provisioning creates a user account with associated identity information when a user authenticates via SSO for the first time. IT admins often use JIT provisioning to quickly set up accounts in an app. Typically, apps that implement only SSO will have JIT provisioning support as the alternative is self-registration by individual users or manual entry of all users by the IT admin.
Consider the fictional SaaS company HireOS, which offers recruiting software to other businesses. HireOS is an online app allowing customers to track leads, candidates, and interviews.
HireOS has integrated SSO using WorkOS and supports JIT provisioning. For example, a HireOS customer would like their users to have accounts automatically provisioned in HireOS when they first log in. The customer’s IT admin will only need to assign the users to the HireOS SAML app in their identity provider. When users log into HireOS via SSO, they will have accounts created in HireOS, just in time.
A usual account setup flow using JIT provisioning follows these steps:
When a user authenticates to an application via SSO for the first time, and JIT provisioning is enabled, the application provisions a new user account. The account can be created by saving the identity information (the WorkOS SSO profile) directly on the app’s user account. Alternatively, a separate identity can be created from the WorkOS SSO profile and related to the new user account. This logic allows users to have multiple identities if the app supports several login methods per user.
The WorkOS SSO profile id attribute serves as the unique identifier for this identity from WorkOS. WorkOS ensures the profile is unique per SSO connection via the idp_id. In addition, the app can use either the connection_id or organization_id to tie the identity to a team account.
{ "object": "profile", "id": "prof_01DMC79VCBZ0NY2099737PSVF1", "connection_id": "conn_01E4ZCR3C56J083X43JQXF3JK5", "connection_type": "OktaSAML", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "email": "todd@example.com", "first_name": "Todd", "last_name": "Rundgren", "idp_id": "00u1a0ufowBJlzPlk357", "role": { "slug": "admin" } }
Applications may want to grant new users roles via JIT provisioning. For more information on mapping role data between the IdP and the application, see the Mapping Roles guide.
When an application receives a WorkOS SSO profile, the standard practice is to perform the following series of checks:
id or idp_id. If found, log in the corresponding user.email as the profile. If found, create an identity for the user and log them in.If an admin adds SSO authentication to their team account after users have already registered, the application can link these new SSO identities to the current user accounts, just-in-time.
A linking field (e.g. email) should be established to find a current user with the incoming WorkOS SSO Profile. The identity information can then be linked with the existing user account via a persistent identifier in case of an email change later.
This document offers guidance on integrating Single Sign-On with the standalone API into an existing auth stack. AuthKit is also available as a complete authentication platform that leverages Single Sign-On functionality out of the box, following best practices.