Configuring Just-In-Time Provisioning for an Identity Provider

Just-in-time provisioning is about how to provision users to the Identity Server at the time of federated authentication. A service provider initiates the authentication request, the user gets redirected to the Identity Server, and then the Identity Server redirects the user to an external identity provider for authentication. Just-in-time provisioning gets triggered in such a scenario when the Identity Server receives a positive authentication response from the external identity provider. The Identity Server will provision the user to its internal user store with the user claims from the authentication response.

You configure JIT provisioning against an identity provider–not against service providers. Whenever you associate an identity provider with a service provider for outbound authentication, if the JIT provisioning is enabled for that particular identity provider, then the users from the external identity provider will be provisioned into the Identity Server's internal user store. In the JIT provisioning configuration, you can also select the provisioning user store.

JIT provisioning happens in the middle of an authentication flow. You can create users on the fly, without having to create user accounts in advance. For example, if you recently added a user to your application, you do not need to manually create the user in Identity Server or in the underlying user store. The provisioning can happen in a blocking mode or in a non-blocking mode. In the blocking mode, the authentication flow is blocked until the provisioning happens while in the non-blocking mode, provisioning happens in a different thread. If you want to allow a user to access your application only if the user is authenticated and provisioned, then you should use blocking mode.

Configuring JIT provisioning for an identity provider

To configure JIT provisioning for an identity provider, follow the steps below: