This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring Just-In-Time Provisioning for an Identity Provider

Owned by Former user (Deleted)
Last updated: Jun 04, 2018 by Former user (Deleted)
2 min read

Just-in-time provisioning is about how to provision users to the Identity Server at the time of federated authentication. A service provider initiates the authentication request, the user gets redirected to the Identity Server, and then the Identity Server redirects the user to an external identity provider for authentication. Just-in-time provisioning gets triggered in such a scenario when the Identity Server receives a positive authentication response from the external identity provider. The Identity Server will provision the user to its internal user store with the user claims from the authentication response.

You configure JIT provisioning against an identity providernot against service providers. Whenever you associate an identity provider with a service provider for outbound authentication, if the JIT provisioning is enabled for that particular identity provider, then the users from the external identity provider will be provisioned into the Identity Server's internal user store. In the JIT provisioning configuration, you can also pick the provisioning user store.

JIT provisioning happens in the middle of an authentication flow. You can create users on the fly, without having to create user accounts in advance. For example, if you recently added a user to your application, you do not need to manually create the user in the Identity Server or in the underlying user store. 

Expand the Just-In-Time Provisioning section to configure this.

  • Selecting No provisioning from the available options disables Just-In-Time provisioning. This is selected by default.
  • Alternatively you could choose to always provision users to the user store domain. Select the user store domain name from the dropdown list to provision users to the user store. The default user store that is shipped with the Identity Server is the user store available by default. You can configure a user store of your preference and it will be listed in this dropdown for selection.

Provisioning claims should be compatible with the policies defined in the user store manger configuration. For example user name should match with the UsernameJavaRegEx and
RolenameJavaScriptRegEx in user store configuration.

To read up about the JIT provisioning architecture, see Provisioning Architecture.