Configuring SAML JIT provisioning
Enable just-in-time JIT
provisioning to create or update a user account
at the service provider on the first time that a user authenticates with Verify. IBM® Security Verify passes the user
information that is required to create or update the account through SAML assertion. Use JIT provisioning for
cases where the service provider does not require the user identity information to be
created or known to it before the user attempts to access the service provider.
Before you begin
- You must have administrative permission to complete this task.
- Create user profiles in the cloud directory for those users that you intend to grant application access entitlements. Add the users through the page. See Managing users.
- Set up the basic information for the application instance in the General tab. See Setting the basic application details.
About this task
The user account is created in the service provider user registry by using the attributes that are included in SAML assertion. Verify Sends a SAML assertion to the service provider when the user accesses the service provider as part of a single sign-on. If no match exists for the presented username, the service provider creates a new account with the user attributes contained in SAML assertion. The service provider also immediately grants the user with access to the requested resources.
If you enable Just-in-time Provisioning in Verify, you must also enable it in the service provider. This setting must always be in sync.
Some match might be found and its response is account does exist for the user by the service provider updates the account according to the attribute information in the SAML assertion.
Some service providers support account updates on subsequent user login when JIT
provisioning is enabled. See the service provider product documentation to determine
the behavior.
cloudIdentityRealm
with the userName
in the form of
user@tenanthostname
, where tenanthostname
is the tenant's
hostname. Example, hostname.idng.ibmcloudsecurity.com
. During the JIT
(Just-In-Time provisioning) flow, if the received token has username user
, a federated user are
not going to be allowed to create for that user, instead the standard user user@tenanthostname
from cloudIdentityRealm
is going to be configured as default for usability purposes.