Just-In-Time Provisioning
Important:To enable JIT provisioning, you must have the Administrative privileges in your organization’s identity provider and one of the following Flexera One roles: Manage organization or Administer organization. For complete descriptions of each role available in Flexera One, see Flexera One Roles.
Organizations using Flexera One's SAML 2.0 single sign-on may enable Just-in-Time (JIT) provisioning for their Identity Providers (IdP) to automate user creation and Group Sync to synchronize groups from their IdP to Flexera One.
Once an IdP is connected to Flexera One by an administrator, the next step is to add the remaining users in the IdP to Flexera One. To add users, email invitations can be sent to individual users from the Flexera One UI, but this is not practical for organizations having more than a few users. Only users who have already been added to Flexera One can sign in through their organization’s IdP, unless JIT provisioning is enabled. JIT Provisioning automatically adds users to Flexera One when they sign in.
The following table describes the behavior for a user who does not exist in Flexera One logging in through an IdP with JIT Provisioning either disabled or enabled.
|
JIT Provisioning Setting |
Description |
|
Disabled |
Sign in is rejected |
|
Enabled |
User is automatically added to Flexera One and sign in succeeds |
Required SAML 2.0 Assertion Attributes
The following user attributes must be included in the assertion sent by the IdP to Flexera One for a user to be successfully JIT provisioned.
|
User Attribute |
Description |
|
firstName |
The user's given name |
|
lastName |
The user's surname |
Caution:If any of the above required attributes are missing, JIT Provisioning fails, and the user is unable to sign in to Flexera One.
Caution:For organizations using Azure Active Directory (AD), do not populate the optional Namespace field for either of the claims (attributes) shown following.
After a User is JIT-Provisioned
Note:Users onboarded to Flexera One by JIT Provisioning do not have passwords, and may only sign in to Flexera One with single sign-on.
Users created as a result of JIT Provisioning will be affiliated to IdP’s organization, but they will not automatically be granted any roles. An administrator may add the user to pre-configured Flexera One groups, or grant roles to directly to the user in Flexera One's User Management page, after they have been created through JIT Provisioning.