This documentation is for WSO2 Identity Server 5.5.0. View documentation for the latest release.
Configuring Just-In-Time Provisioning for an Identity Provider - Identity Server 5.5.0 - WSO2 Documentation

All docs This doc
||
Skip to end of metadata
Go to start of metadata

Just-in-time provisioning is about how to provision users to the Identity Server at the time of federated authentication. A service provider initiates the authentication request, the user gets redirected to the Identity Server, and then the Identity Server redirects the user to an external identity provider for authentication. Just-in-time provisioning gets triggered in such a scenario when the Identity Server receives a positive authentication response from the external identity provider. The Identity Server will provision the user to its internal user store with the user claims from the authentication response.

You configure JIT provisioning against an identity providernot against service providers. Whenever you associate an identity provider with a service provider for outbound authentication, if the JIT provisioning is enabled for that particular identity provider, then the users from the external identity provider will be provisioned into the Identity Server's internal user store. In the JIT provisioning configuration, you can also pick the provisioning user store.

JIT provisioning happens in the middle of an authentication flow. You can create users on the fly, without having to create user accounts in advance. For example, if you recently added a user to your application, you do not need to manually create the user in the Identity Server or in the underlying user store.

To navigate to the JIT provisioning section, do the following.

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
  3. Fill in the details in the Basic Information section. 

Expand the Just-In-Time Provisioning section to configure this.

  • Selecting No provisioning from the available options disables Just-In-Time provisioning. This is selected by default.
  • Alternatively you could choose to always provision users to the user store domain. Select the user store domain name from the dropdown list to provision users to the user store. The default user store that is shipped with the Identity Server is the user store available by default. You can configure a user store of your preference and it will be listed in this dropdown for selection.

Provisioning claims should be compatible with the policies defined in the user store manger configuration. For example user name should match with the UsernameJavaRegEx and
RolenameJavaScriptRegEx in user store configuration.

To read up about the JIT provisioning architecture, see Provisioning Architecture.

  • No labels