Just-In-Time Provisioning

Important: To enable JIT provisioning, you must have the Administrative privileges in your organization’s identity provider and one of the following Flexera One roles: Manage organization or Administer organization. For complete descriptions of each role available in Flexera One, see Flexera One Roles.

Organizations using Flexera One's SAML 2.0 single sign-on may enable Just-in-Time (JIT) provisioning for their Identity Providers (IdP) to automate user creation and Group Sync to synchronize groups from their IdP to Flexera One.

Once an IdP is connected to Flexera One by an administrator, the next step is to add the remaining users in the IdP to Flexera One. To add users, email invitations can be sent to individual users from the Flexera One UI, but this is not practical for organizations having more than a few users. Only users who have already been added to Flexera One can sign in through their organization’s IdP, unless JIT provisioning is enabled. JIT Provisioning automatically adds users to Flexera One when they sign in.

The following table describes the behavior for a user who does not exist in Flexera One logging in through an IdP with JIT Provisioning either disabled or enabled.

JIT Provisioning Setting

Description

Disabled

Sign in is rejected

Enabled

User is automatically added to Flexera One and sign in succeeds

SAML 2.0 Assertion Attributes

The following user attributes are optional but highly recommended. They are intended to be included in the assertion sent by the IdP to Flexera One as a best practice for users to be JIT provisioned.

User Attribute

Description

firstName

The user's given name

lastName

The user's surname

Caution:Flexera highly recommends that you include values for the firstName and lastName attributes. These attributes are sent in SAML and displayed in the Flexera One user interface, and they are also are used across the platform.

Caution:For organizations using Azure Active Directory (AD), do not populate the optional Namespace field for either of the claims (attributes) shown following.

After a User is JIT-Provisioned

Note:Users onboarded to Flexera One by JIT Provisioning do not have passwords, and may only sign in to Flexera One with single sign-on.

Users created as a result of JIT Provisioning will be affiliated to IdP’s organization, but they will not automatically be granted any roles. An administrator may add the user to pre-configured Flexera One groups, or grant roles to directly to the user in Flexera One's User Management page, after they have been created through JIT Provisioning.