Blog

What Is Just-In-Time Provisioning and How Do You Use It?

November 30, 2023

We’ll explain what JIT is, how it compares to other user provisioning strategies, why you should consider supporting it and how you can implement it.

Picture this scenario: you're a startup developer working tirelessly to close your first enterprise client, you’ve spent countless long days putting together a suitable SSO integration, and you’re ready to close your first enterprise deal.

But just before you can sign on the dotted line, your prospective customer’s IT team drops the term 'Just-In-Time' (JIT) provisioning on you. If you’ve already implemented SAML-based SSO and SCIM-based account provisioning, you might be confused as to what JIT could possibly add on top.

In this article, we’ll explain what JIT is, how it compares to other user provisioning strategies, why you should consider supporting it and how you can implement it.

The three user provisioning strategies

When you enable SSO for an enterprise customer, there are three strategies you might follow to allow their employees to use your app. 

Ultimately, your customers’ IT team will dictate which “provisioning strategy” they want to follow, but supporting all of them out of the box is an easy way to stand out during procurement.

Here are the three strategies you can expect to see:

  • Self-Registration: A potential user visits your app and signs up like they would for any other service. Your SaaS app almost certainly supports this already today for the majority of your users, but from an enterprise perspective, it’s unlikely that your customers would want their employees to freely access your service.

    While you could support this with something like an email whitelist, it’s generally the least secure and least controlled strategy (from a financial and audit perspective).

  • Pre-Provisioning: This is the most common way to provision users. Using a provisioning protocol like SCIM via their IdP, your customers’ IT team will give your app a pre-approved list of who can access it - much like a guest list at a party.

    This is the most secure and controlled method of access, but it does require your customer’s IT team to approve and either manually take action to provision a user, or to create an automated request form available internally to their employees.

  • Just-In-Time Provisioning: JIT provisioning is a combination of the two above strategies. Employees are free to sign in to your app with SSO, even if they haven’t been pre-approved by their IT department. Instead, the account is created “just-in-time” and secured by a SAML-based SSO handshake. It’s secure, but trades control for convenience. 

What is Just-In-Time provisioning with SAML and why should you implement it?

To understand JIT provisioning, you need to understand SAML.

It’s an acronym for Security Assertion Markup Language, an open standard which allows you to create a secure bridge between your customer’s identity provider platform (IdP) and your app (the service provider, or SP) to exchange authorization credentials efficiently and securely.

In plain English, SAML provides a way for authentication information to be shared seamlessly across any major IdP in today's market.

In the context of your SaaS application, 'Just-In-Time' (JIT) provisioning is a process that leverages SAML to create user accounts on-the-fly. In other words, an account is created instantly when a user logs in through a company SSO account for the first time.

The main benefit of Just-In-Time provisioning is that IT admins don't need to manually create a new account for every employee they want to provision on your software - Nor do those employees need to manually make an access request and wait days for both their line manager and IT team to approve it.

If you've used something like Slack or Salesforce before, you might've seen JIT provisioning in action already.

Why should you, as a startup, be interested in JIT? Two reasons: convenience and adoption. 

With JIT provisioning enabled in your app, you're opening up an entire organization to self-serve their access to your app. And unlike SCIM provisioning, it doesn't require their IT team to sign off on every access request. That can quickly add tens, hundreds - even thousands - of paid seats to your SaaS. 

IT admins love JIT provisioning too - it cuts down on the approval and administration work they need to carry out, it means they don't need to implement yet another automated SCIM provisioning integration in their HRIS, and it keeps their customers - the employees - happy. This is helpful when you want to edge out your competition on an RFP.

Despite being so accessible, JIT provisioning is a very secure way to onboard users. Beyond just whitelisting your customer’s email domain, JIT is a full, SAML-enabled SSO handshake. Your customer's IT security and SSO policies then take care of everything else, since only their authorized and verified employees will be able to access their email accounts.

How does Just-In-Time (JIT) provisioning work?

When your customer's employee attempts SSO to an application, your customer's identity provider dispatches a SAML assertion to your app (the service provider). This assertion contains proof of authentication, plus all of the user attributes your app will need to set the user up - like their full name or their profile picture.

Here’s what those steps look like:

  1. Your customer’s IT team enables SSO and Just-In-Time Provisioning between your app and their identity provider platform.
  2. One of your customers’ employees attempts to log in to your app. They’re redirected to the identity provider to log in.
  3. Your app makes a SAML request to your customer’s IdP, which responds with a SAML assertion containing both an authentication token and a series of SSO profile attributes about the user.
  4. Your app then makes use of those attributes to create an account and immediately grant access to the user.

Unlike a simple email domain whitelist, JIT provisioning still makes use of a full, secure SSO handshake with your customers’ IdP. This is particularly important because it protects your app from email-spoofing attacks.

Read More: How to Provision Users “Just-In-Time” with WorkOS

What’s the difference between JIT and SCIM provisioning?

If you’ve already implemented SCIM, you may be wondering if JIT and SCIM just do the same thing. While they both achieve similar aims, there are two key differences:

  • Approval: Account provisioning with SCIM is either handled manually by your customer’s IT team or automatically by either a HR system, internal help desk or some other kind of automated approval system tied into your customer’s IdP.

    This means that the IT team are either taking manual action - handled under the hood by SCIM - to provision an account, or they’re investing the time to set up an automated provision requesting system, possibly on a system like ServiceNow or Workday. 

    Worse still, many enterprise provisioning processes are set up to require both an automatic system to provision the account, and a manual review and approval by IT to allow the provisioning.

    JIT is an antidote to these problems, allowing automated access to your app with no setup required by IT, and default approval with no need for IT teams to manually review and authorize user access.

  • Timing: Whereas JIT provision accounts while the user logs in with SSO, SCIM can provision - or modify - accounts at any time. SCIM will often be used to provision accounts days, weeks or even months before the employee actually logs in and uses them.

Overall, SCIM gives an IT team complete control over provisioning. They decide exactly which employees are able to access your app, retain the ability to change the user’s authorization level mid-session and the ability to remove a user’s access from your app entirely.

The tradeoff is that they need to take action to provision every new user. While this is appropriate for most enterprise software, it can be a painful requirement for software which is going to see widespread but unpredictable adoption across an enterprise, such as a communication tool, a developer tool or a productivity tool. 

For the widest appeal to IT and procurement teams, you’ll want to implement both SCIM and JIT provisioning in your app to allow you to support any kind of user provisioning strategy a customer might throw at you. 

If faced with a choice, however, SCIM pre-provisioning is by far the most common strategy used and should likely be prioritized over JIT provisioning on your roadmap. 

Learn more: SCIM Provisioning vs SAML: What Each Does, How to Use Them Together, and Security Implications

JIT provisioning with WorkOS

If you’d rather not wrestle with SAML assertions, build a SCIM endpoint and guess which provisioning strategy your next enterprise customer will need, then look at a done-for-you authentication service like WorkOS:

  • Get Started Fast: With SDKs for every popular platform and Slack-based support, you can implement SSO in minutes rather than weeks.
  • Avoid The Back-And-Forth: WorkOS’ Admin Portal takes the pain out of onboarding your customers’ IT teams and configuring your app to work with their identity provider.
  • Pricing That Makes Sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they bring 10 or 10,000 users to your app.

Explore Unified SSO by WorkOS.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.