Setting up just-in-time user provisioning

Edit online

You can set up just-in-time (JIT) user provisioning in IBM® Envizi ESG Suite by using either standard attributes or nonstandard attributes. Review the configuration that is required to map the SAML claim attributes that are used in JIT provisioning to their corresponding Envizi ESG Suite entities.

Before you begin

The only user access levels and roles that are supported for JIT provisioning are organization-level system administration, general, and view only users.

About this task

JIT provisioning is an identity management technique that, when set up, automatically creates user accounts and assigns necessary permissions when a user attempts to access an application for the first time, for example, Envizi ESG Suite. The process eliminates the need for manual login creation and reduces administration.

If JIT provisioning is enabled, when a user attempts to log in to Envizi ESG Suite for the first time by using SSO, a user login is automatically created after the IdP application confirms the user credentials.

However, some of the required attributes for login creation in Envizi ESG Suite need to be passed into Envizi ESG Suite by the IdP application in the SAML assertion and response, such as the user’s given name and surname .

Procedure

  • Setting up just-in-time user provisioning by using standard attributes.
    The following standard attributes are used for just-in-time provisioning and must be configured in your Identity Manager (IDP) and included in the SAML assertion/response. Provide this information to your IT department.
    Table 1. Standard attributes for just-in-time provisioning
    Claims attribute Description
    nameidentifier Used as the user name in the application and must be formatted as email.
    emailAddress Contact email
    firstname Contact first name
    lastname Contact last name

    Users can only be auto provisioned as organization level users whether using the default standard attributes or configuring non standard attributes.

    The default role given to users is General user.

    The default Location in which the users are provisioned is a location in your organization which contains the words “Unallocated” or “Provisioning”.

    User provisioning only works on IDP initiated logins or by using the SSO direct link URL:
    • https://<cluster>.envizi.com/home/Client/<client_token>/
    Where <cluster> is the server cluster name and the <client_token> is the Client ID generated in the SSO Admin page.
    For example:
    • https://us003.envizi.com/home/Client/48224780e59e41a2975edc4117889a28/

    User provisioning does not work when accessing the system from the Envizi ESG Suite login page.

  • Setting up just-in-time user provisioning by using non-standard attributes.
    1. Go to Admin > Single Sign-On.
    2. On the row of the SSO you are configuring, right-click or select the Edit SSO Metadata action.
    3. Click SSO preferences.
    4. Enter the Auto-Provisioning Properties values.
      Table 2. Auto-Provisioning Properties for just-in-time user provisioning
      Fields Description Example
      Email Claims Attribute Name Attribute where the user’s email value is provided in the SAML assertion/response.  
      First Name Claims Attribute Name Attribute where the user’s first name value is provided in the SAML assertion/response.  
      Last Name Claims Attribute Name Attribute where the user’s last name value is provided in the SAML assertion/response.  
      Role Claims Attribute Name If you want to include roles in your mapping then the Role Claims Attribute is mandatory. If not entered, it reverts to the standard Envizi ESG Suite just-in-time role setting of “General” for all users provisioned.  
      Role View Only - Value mapping Identifies the role or group in which the user belongs in your IDP to map to the View Only role in Envizi ESG Suite. Read-only
      Role General - Value mapping Identifies the role or group in which the user belongs in your IDP to map to the General role in Envizi ESG Suite. Editor
      Role System Administration - Value mapping Identifies the role or group in which the user belongs in your IDP to map to the to the System Administrator role in Envizi ESG Suite. Admin
    5. Enter the Roles Attributes. This is the mapping from the roles in your provisioning system to the roles in Envizi ESG Suite.
    6. In Other Attributes, select the location where the provisioned users are created. If this is not entered, the default location settings are used.
    7. Click Save.