Administrators or end users may see errors related to Just-in-Time provisioning. For example, if a required attribute is missing in the SAML assertion, an error occurs and the user is unable to log in.

The following errors can appear in the VMware Identity Manager console.

Error Message Solution
If JIT User provisioning is enabled, at least one directory must be associated with identity provider. There is no directory associated with the identity provider. An identity provider with the Just-in-Time provisioning option enabled must have a Just-in-Time directory associated with it.
  1. In the Identity & Access Management tab in the VMware Identity Manager console, click Identity Providers and click the identity provider.
  2. In the Just-in-Time User Provisioning section, specify a directory name and one or more domains.
  3. Click Save.

A Just-in-Time directory is created.

The following errors can appear on the log-in page:

Error Message Solution
User attribute is missing: name. A required user attribute is missing in the SAML assertion sent by the third-party identity provider. All attributes that are marked required in the User Attributes page must be included in the SAML assertion. Modify the third-party identity provider settings to send the correct SAML assertions.
Domain is missing and cannot be inferred. The SAML assertion does not include the domain attribute and the domain cannot be determined. A domain attribute is required in the following cases:
  • If multiple domains are configured for the Just-in-Time directory.
  • If domain is marked as a required attribute in the User Attributes page.

If a domain attribute is specified, its value must match one of the domains specified for the directory.

Modify the third-party identity provider settings to send the correct SAML assertions.

Attribute name: name, value: value. The attribute in the SAML assertion does not match any of the attributes in the User Attributes page in the tenant and will be ignored.
Failed to create or update a JIT user. The user could not be created in the service. Possible causes include the following:
  • A required attribute is missing in the SAML assertion.

    Review the attributes in the User Attributes page and ensure that the SAML assertion includes all the attributes that are marked required.

  • The domain for the user could not be determined.

    Specify the domain attribute in the SAML assertion and ensure that its value matches one of the domains configured for the Just-in-Time directory.