Skip to content

Just-in-Time User Inbound Provisioning

This page guides you through configuring Just-in-Time (JIT) provisioning for users from external identity providers into WSO2 Identity Server during federated authentication.


Prerequisites

You need to add and configure an identity provider on the Identity Server.

Enable JIT provisioning

To enable JIT provisioning for an IdP:

  1. On WSO2 Identity Server Management Console, go to Main > Identity > Identity Providers section.
  2. Click List, select the identity provider you want to enable JIT provisioning, and click on the corresponding Edit link.
  3. Expand the Just-In-Time Provisioning section and select the JIT provisioning options based on your requirement.

    just-in-time-provisioning

  4. Select Always provision to User Store Domain, and select a required user store domain from the list of available user store domains.

    Tip

    The default user store domain you see is the PRIMARY user store provided with WSO2 Identity Server.

    If you want to provision users to multiple user stores depending on the user name specified at the time of provisioning, select As in username from the dropdown.

    If you select this option and do not specify the user name appropriately, the relevant user is provisioned to the PRIMARY user store domain.
    For example,

    • If you specify the username as user, the user is provisioned to the domain.
    • If you specify the username as user1, the user is provisioned to the PRIMARY user store domain.

    Suppose you want to select a user store domain other than the default primary user store domain. In that case, you need to configure a userstore of your preference for it to appear in the list for you to select.

  5. Select the provisioning options depending on how you want to prompt users for relevant credentials at the time of JIT provisioning. The provisioning options are as follows:

    • Prompt for username, password, and consent
    • Prompt for password and consent
    • Prompt for consent
    • Provision silently

    Note

    By default, Provision silently will be selected. You can change it as you wish.

  6. Click Update to save your configurations.

Note

Provisioning claims should be compatible with the policies defined in the userstore manager configuration. For example user name should match UsernameJavaRegEx and RolenameJavaScriptRegEx in the userstore configuration.

Disable JIT Provisioning

To disable JIT provisioning for an IdP:

Note

JIT provisioning is disabled by default. If you have enabled JIT provisioning for the IdP, use these instructions to disable it.

  1. On WSO2 Identity Server Management Console, go to Main > Identity > Identity Providers section.
  2. Click List, select the identity provider you want to enable JIT provisioning, and click on the corresponding Edit link.
  3. Expand the Just-In-Time Provisioning section and select the JIT provisioning options based on your requirement.
  4. Select No Provisioning and click Update to disable JIT provisioning.

Enhanced Feature (Optional)

Add the following configuration to deployment.toml in the /conf directory.

[authentication.jit_provisioning]
enable_enhanced_feature = "true"

With the JIT provisioned enhanced feature, the following capabilities will be available.

  • A Federated unique user id will be set as the username of the JIT provisioned user.
  • Second-factor authenticators (Ex:- TOTP, Email OTP) will be able to configure for federated users when JIT provisioning is enabled
  • When an IDP is deleted, the Identity Server will delete all provisioned users from that IDP.
  • Editing JIT-provisioned user’s attributes will not be allowed.
  • Ability to lock JIT provisioned user accounts based on social identity.

Preserve Locally Added Claims of JIT Provisioned Users

If a user already having an account in WSO2 Identity Server logs in using federated login with the same email address, WSO2 Identity Server deletes any locally added claims of the user and retains only the claims provided by the federated authenticator.

If you wish to change this default behavior and preserve the locally added claims of the user, go to the deployment.toml file found in the <IS_HOME>/repository/conf directory and add the following configuration.

[authentication.jit_provisioning]
preserve_locally_added_claims = "true"

Note

This configuration is available in IS 6.1.0 product from the update level 6.1.0.44 onwards

Customize JIT Provisioning User Interfaces

You can customize the default user interface that is displayed to prompt for credentials at the time of just-in-time provisioning.

To customize the user interfaces depending on your requirement, add the following configuration in the deployment.toml file.

[authentication.jit_provisioning]
username_provisioning_url= "/accountrecoveryendpoint/register.do"
password_provisioning_url= "/accountrecoveryendpoint/signup.do"
  • Update username_provisioning_url if you have selected Prompt for username, password and consent as the provisioning option.

  • Update password_provisioning_url if you have selected Prompt for password and consent or Prompt for consent as the provisioning option.

Note

Learn more about configuring the provisioning methods.

Top