com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Configuring Just-In-Time Provisioning for an Identity Provider

Owned by Former user (Deleted)
Last updated: Aug 11, 2018 by Former user (Deleted)
3 min read

Just-in-time provisioning is about how to provision users to the Identity Server at the time of federated authentication. A service provider initiates the authentication request, the user gets redirected to the Identity Server, and then the Identity Server redirects the user to an external identity provider for authentication. Just-in-time provisioning gets triggered in such a scenario when the Identity Server receives a positive authentication response from the external identity provider. The Identity Server will provision the user to its internal user store with the user claims from the authentication response.

You configure JIT provisioning against an identity providernot against service providers. Whenever you associate an identity provider with a service provider for outbound authentication, if the JIT provisioning is enabled for that particular identity provider, then the users from the external identity provider will be provisioned into the Identity Server's internal user store. In the JIT provisioning configuration, you can also select the provisioning user store.

JIT provisioning happens in the middle of an authentication flow. You can create users on the fly, without having to create user accounts in advance. For example, if you recently added a user to your application, you do not need to manually create the user in Identity Server or in the underlying user store. The provisioning can happen in a blocking mode or in a non-blocking mode. In the blocking mode, the authentication flow is blocked until the provisioning happens while in the non-blocking mode, provisioning happens in a different thread. If you want to allow a user to access your application only if the user is authenticated and provisioned, then you should use blocking mode.

Configuring JIT provisioning for an identity provider

To configure JIT provisioning for an identity provider, follow the steps below: 

  1. Start WSO2 Identity Server and access the Management Console via  https://localhost:9443/carbon/. For detailed instructions on starting WSO2 Identity Server, see Running the Product.
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
  3. Click the Main tab on the Management Console, navigate to Identity Providers under the Identity menu, and then click Add. This displays the Add New Identity Provider screen.

  4. Enter appropriate values for all required fields in the Basic Information section. 

  5. Expand the Just-In-Time Provisioning section and select the JIT provisioning options based on your requirement.
    • If you want to disable JIT provisioning, select No Provisioning. This is selected by default.

    • If you want to always provision users to a selected user store domain, select Always provision to User Store Domain, and then select a required user store domain from the list of available user store domains. 

      Tip

      The user store domain that you see by default is the PRIMARY user store provided with WSO2 Identity Server. If you want to select a user store domain other than the default primary user store domain, you have to configure a user store of your preference so that it appears in the list for you to select. 

      If you apply the WUM update released on the 1st of August 2018 for WSO2 IS 5.6.0, and select Always provision to User Store Domain,

      • You can provision users to multiple user stores depending on the user name specified at the time of provisioning if you select As in username.

        If you select this option and do not specify the user name appropriately, the relevant user is provisioned to the PRIMARY user store domain. For example,

        • If you specify the user name as TEST.COM/user1, the user is provisioned to the TEST.COM user store domain.
        • If you specify the user name as user1, the user is provisioned to the PRIMARY user store domain.
      • You can select one of the following provisioning options depending on how you want to prompt users for relevant credentials at the time of JIT provisioning with a federated identity provider. The default selection is Provision silently.
        • Prompt for username, password and consent
        • Prompt for password and consent
        • Prompt for consent
        • Provision silently

      You can deploy a WUM update into production only if you have a paid subscription. If you do not have a paid subscription, you can use this functionality when the next version of WSO2 Identity Server is released.


      Provisioning claims should be compatible with the policies defined in the user store manager configuration. For example user name should match with UsernameJavaRegEx and
      RolenameJavaScriptRegEx in user store configuration.

  6. Click Register to add the identity provider.
Related Topics

For information on the JIT provisioning architecture, see Provisioning Architecture.

For information on how to customize the user name and password provisioning UIs, see Customizing Just-In-Time Provisioning User Interfaces.

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.