Configuring SAML JIT provisioning

Enable just-in-time JIT provisioning to create or update a user account at the service provider on the first time that a user authenticates with Verify. IBM® Security Verify passes the user information that is required to create or update the account through SAML assertion. Use JIT provisioning for cases where the service provider does not require the user identity information to be created or known to it before the user attempts to access the service provider.

Before you begin

  • You must have administrative permission to complete this task.
  • Create user profiles in the cloud directory for those users that you intend to grant application access entitlements. Add the users through the Directory > Users & Groups > Users page. See Managing users.
  • Set up the basic information for the application instance in the General tab. See Setting the basic application details.

About this task

Enable JIT provisioning as part of configuring SAML based single sign-on between Verify and the service provider. See

The user account is created in the service provider user registry by using the attributes that are included in SAML assertion. Verify Sends a SAML assertion to the service provider when the user accesses the service provider as part of a single sign-on. If no match exists for the presented username, the service provider creates a new account with the user attributes contained in SAML assertion. The service provider also immediately grants the user with access to the requested resources.

If you enable Just-in-time Provisioning in Verify, you must also enable it in the service provider. This setting must always be in sync.

Some match might be found and its response is account does exist for the user by the service provider updates the account according to the attribute information in the SAML assertion.

Some service providers support account updates on subsequent user login when JIT provisioning is enabled. See the service provider product documentation to determine the behavior.

Note: Known Behavior. If the administrator created a standard user in cloudIdentityRealm with the userName in the form of user@tenanthostname, where tenanthostname is the tenant's hostname. Example, hostname.idng.ibmcloudsecurity.com. During the JIT (Just-In-Time provisioning) flow, if the received token has username user, a federated user are not going to be allowed to create for that user, instead the standard user user@tenanthostname from cloudIdentityRealm is going to be configured as default for usability purposes.

Procedure

  1. Select Applications > Applications > Edit > Sign-on.
  2. In the Just-in-time Provisioning section, select Include provisioning attributes in the SAML assertion to list the user attributes that the service provider requires to create or update the user account on its user registry.
    Note: Depending on the application, this option might be.
    • Always be enabled at the service provider. As such, it is enabled and read-only by default in Verify. No required provisioning attributes or more configuration.
    • Display attributes that the service provider requires to provision the user account. A service provider usually requires the following user attributes at a minimum:
      • Username
      • Given name
      • Surname
      • Email address
    • Display attributes that the service provider considers to provisioning the user account. For example
      • Employee ID
      • Mobile phone
      • Department
      • Job title
    • Require provisioning attributes that are the same as the requirement attributes for single sign-on.

      It does not matter whether the check-box is selected. The user account is provisioned when the user completes single sign-on with Verify.

  3. In Attribute Mappings, assign a corresponding Verify user attribute for each of the service provider attribute.

    Map the attributes based on the service provider requirements.

    Use attribute mapping to control how the application computes the user attributes from Verify. The service provider attributes are populated with whatever values are held by the mapped Verify user attribute.

    Note: The list of attributes that are displayed and their importance varies depending on the application. Some single sign-on attributes might be a requirement for provisioning.
  4. Click Save.
  5. Configure JIT provisioning at the service provider. See the instructions that are provided in the Verify Sign-on tab.

Results

Note: When an entitled user accesses the application from Verify for the first time, the user is prompted to accept the terms and conditions. The user account is provisioned at the application and the user can sign in to it.