With the explosion of web applications, organizations have sought single sign-on (SSO) solutions to enable more efficient integration with their core directory services. Here, we’ll explore the difference between SAML SSO and Just-in-Time (JIT) provisioning, two concepts that affect the way users access web applications.
What is SAML SSO?
The SAML (Security Assertion Markup Language) protocol was created in the early 2000s to enable secure authentication between identity providers and service providers (i.e. web applications). SAML is secure because it passes XML-based certificates that are unique to each application rather than passing user credentials.
Using SAML, organizations created SSO solutions that simplified the login process. Instead of creating new sets of credentials for every web application they used, users could leverage their Active Directory/core directory credentials to access both their machines and their web applications via a browser plugin or web portal.
SAML SSO occurs either through service provider- or identity provider-initiated sign-ons. In service provider-initiated sign-ons, users visit the website of the application directly and are redirected back to their identity provider by an attribute such as their domain name or username. They are then logged into the application through their identity provider automatically. In identity provider-initiated sign-ons, employees click through their SSO web portal to access the application. In either case, the service provider never receives or tracks their credentials.
SSO providers often offer both pre-built and generic connectors to give organizations flexibility in connecting to both popular and proprietary applications. Pre-built connectors work for popular applications like Slack, Salesforce, GitHub, and thousands more, while generic connectors let admins fill in the necessary fields to connect to applications that aren’t as widely accessible. These solutions save time not only for end users (who spend 36 minutes a month on password activities, according to LastPass) but also for IT admins who need to securely manage user provisioning and passwords.
What is Just-in-Time Provisioning?
Just-in-Time provisioning also uses the SAML protocol, and it refers to a method of application account creation.
With JIT, IT admins no longer need to create accounts manually for each user in each application they use. Instead, user accounts are created the first time users try to log in to applications, as long as they have permissions for them.
For example, IT admins can automatically grant Salesforce access to all users in the sales department, and those users’ accounts are created the first time they try to log in to Salesforce through their SSO portal or by a service provider-initiated log in.
It’s important to note the service provider (web application) must support JIT for this implementation to work.
Comparing SAML SSO and JIT Provisioning
Both SAML SSO and JIT provisioning play a part in providing a seamless application login experience for users, and they can be used in conjunction.
Web application SSO implementation has a noticeable effect on user experience because users only have to enter their credentials once per session to access all their applications they need to get work done during the day.
Although user experience doesn’t change dramatically when an organization uses JIT provisioning, the process makes onboarding more efficient and IT operations more streamlined. JIT is a behind-the-scenes tool to buy IT admins more time to dedicate to other critical tasks.
Both SAML SSO and JIT Provisioning also increase organizational security and prevent identity sprawl because they ensure users have only one secure identity for their machines, other directory-managed resources, and applications — rather than repeated or similar passwords across services — and decrease the manual provisioning tasks admins have to do.
If you’re an IT admin exploring what SSO solution would be best tailored to your environment, we’ve put together a guide to choosing an SSO solution — check it out!