Do I Need Just-in-Time (JIT) Provisioning?

Written by Cassa Niedringhaus on March 6, 2020

Share This Article

Just-in-Time (JIT) provisioning is an emerging IT automation strategy that allows admins to configure connections between their identity provider and SaaS app service providers, provision users to those apps, and enable access without manually creating individual application accounts. In this post, we’ll explain how it works and give you a checklist you can use to decide whether your organization would benefit from JIT provisioning. 

Just-in-Time Provisioning Explained 

JIT provisioning is a method of creating user accounts in SaaS apps. The process works like this: An admin needs to configure a single sign-on (SSO) connection between the identity provider and the SaaS provider. Different service providers require different user attributes (and/or refer to them by different names) for account creation, which is why up-front configuration is required to map the correct attributes between the identity and service providers. 

Once the admin has configured a connection, though, they can create a user in the identity provider with all their needed attributes, enable user access to the apps they require to do their jobs, and then prompt users to access those apps — all without opening the apps themselves. 

Users then trigger the creation of their requisite app accounts the first time they try to log in to those apps through their identity provider’s SSO portal.

JIT Provisioning Workflow

JIT provisioning provides numerous benefits — including saving admins valuable time by offloading repeated data entry to an automated workflow. Beyond the convenience it provides, JIT provisioning also reduces the chance that admins make data entry errors.

If you’re assessing various strategies to implement JIT provisioning, these questions can guide your decision-making:

  • Does our identity provider support JIT?
  • Can we implement JIT from our identity provider without a service upcharge or another add-on?
  • How many SaaS apps is our company using?
  • Do the SaaS apps we use support JIT?
  • At what intervals do we onboard users?
  • Are we planning to scale the company?

The JIT provisioning workflow is particularly beneficial for organizations that regularly add new users or that plan to scale. Manually provisioning one new user to all their apps might be doable, but it’s a strategy that will impede an organization trying to grow quickly.

Depending on the identity provider, an organization might have to pay more or seek a third-party solution to enable SSO + JIT provisioning. Some identity providers include it as a benefit for all customers, though. Depending on the service provider, too, an admin can create custom roles in the service provider itself and configure their identity provider to trigger roles and access privileges in addition to basic account creation.

If your identity provider or preferred SSO provider doesn’t charge more money for JIT provisioning, your target SaaS apps support JIT, and your company would like to save time onboarding users, it’s likely a good fit.

Automated Provisioning Strategy

JIT provisioning can fit into an organization’s broader strategies around automation and user lifecycle management. Ideally, admins can implement a central directory that translates a user’s core identity to all their permitted resources — not only apps but also systems, networks, and file servers. 

JumpCloud® Directory-as-a-Service® can serve as an organization’s central cloud directory to provision users to virtually all their resources. With JumpCloud, admins can provision users to SaaS apps, and JIT functionality represents no additional cost. Learn more about JumpCloud’s SAML SSO capabilities.

Continue Learning with our Newsletter