# Configuring Just-In-Time (JIT) Provisioning

{% hint style="success" %}

#### Required User Credentials

\[**Flosum User**] - **SystemAdministrator** Role
{% endhint %}

## ![](/files/LowV1q5srWJvPnm0X9bc) Overview

Flosum supports Just-In-Time (JIT) Provisioning for both OIDC and SAML identity providers. JIT Provisioning automatically creates and updates user accounts in Global Settings when a user first logs in via SSO. Since the identity provider supplies user information, JIT Provisioning saves time by eliminating the need to manually create users. Your identity provider must be properly configured before you enable JIT Provisioning.

{% hint style="info" %}
You can use SCIM as an alternative to JIT Provisioning, or combine the two. The SCIM API automates user provisioning in your Flosum tenant, letting you provision, manage, and deprovision users seamlessly. For more details about SCIM, see the article below.

* [Configuring SCIM for Flosum](/global-settings/security/identity-providers-sso/configuring-scim-for-flosum.md)
  {% endhint %}

## Enabling JIT Provisioning

Enabling JIT Provisioning for an identity provider is done when creating or editing the identity provider.

1. Check the **Just-In-Time Provisioning** checkbox to enable this feature.
2. Click **Save** to save the change. 

   <div align="left"><figure><img src="/files/nKmyxnBBk65aJyid7MS4" alt="" width="563"><figcaption></figcaption></figure></div>

For more details about creating or editing an identity provider, see the following articles.

* [Adding an Identity Provider (SSO)](/global-settings/security/identity-providers-sso/adding-an-identity-provider-sso.md)
* [Managing Identity Providers (SSO)](/global-settings/security/identity-providers-sso/managing-identity-providers-sso.md)

## Identity Provider Mapped Attributes

For an identity provider to be able to use JIT Provisioning to add user accounts to your Flosum tenant, you must configure your identity provider to map user attributes to specific values. See the following table for a list of the attributes.

<table><thead><tr><th width="160">User Attribute</th><th>Description</th></tr></thead><tbody><tr><td>uniqueUserId</td><td>The ID used by the identity provider to identity user accounts.</td></tr><tr><td>firstName</td><td>The first or given name of the user.</td></tr><tr><td>lastName</td><td>The last or surname of the user.</td></tr><tr><td>email</td><td>The email address of the user.</td></tr></tbody></table>

The following sections provide information on configuring specific identity providers to work with JIT Provisioning.

<details>

<summary>Microsoft Entra ID Attribute Mapping</summary>

1. Log in to your Entra ID account.
2. Access the **SAML Attributes & Claims** page.
3. Ensure your **Attributes & Claims** are correctly set. See the screenshot and table below.&#x20;

<div align="left"><figure><img src="/files/7cZQvntPoMwz0XbBmTSi" alt="" width="563"><figcaption></figcaption></figure></div>

| Claim Name   | Value          |
| ------------ | -------------- |
| userUniqueId | user.objectid  |
| firstName    | user.givenname |
| lastName     | user.surname   |
| email        | user.mail      |

</details>

<details>

<summary>Okta Attribute Mappin</summary>

1. Log in to your Okta account.&#x20;
2. View your **SAML 2.0(Header Auth)** on the **Sign On** tab.&#x20;
3. Ensure your **SAML 2.0 Attributes** are correctly set. See the screenshot and table below.

<div align="left"><figure><img src="/files/ov7lDTnHXf0sK2O8ajiO" alt="" width="524"><figcaption></figcaption></figure></div>

| Name         | Value          |
| ------------ | -------------- |
| uniqueUserId | user.id        |
| firstName    | user.firstName |
| lastName     | user.lastName  |
| email        | user.email     |

</details>

<details>

<summary>PingOne Attribute Mapping</summary>

1. Log in to your PinOne account.
2. Access the **Attribute Mappings** page.
3. Ensure your **Attribute mappings** are correctly set. See the screenshot and table below.&#x20;

<div align="left"><figure><img src="/files/uPu0ZmWvKv2brdobYP0k" alt="" width="563"><figcaption></figcaption></figure></div>

| Claim Name   | Value         |
| ------------ | ------------- |
| userUniqueId | User ID       |
| firstName    | Given Name    |
| lastName     | Family Name   |
| email        | Email Address |

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.flosum.com/global-settings/security/identity-providers-sso/configuring-just-in-time-jit-provisioning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.