Just-in-Time provisioning provides another way of provisioning users in the Workspace ONE Access service. Instead of syncing users from an Active Directory instance, with Just-in-Time provisioning users are created and updated dynamically when they log in, based on SAML assertions sent by the identity provider.

In this scenario, Workspace ONE Access acts as the SAML service provider (SP).

Just-in-Time configuration can only be configured for third-party identity providers. It is not available for the connector.

With a Just-in-Time configuration, you do not need to install a connector on premises as all user creation and management is handled through SAML assertions and authentication is handled by the third-party identity provider.

User Creation and Management

If Just-in-Time user provisioning is enabled, when a user goes to the Workspace ONE Access service login page and selects a domain, the page redirects the user to the correct identity provider. The user logs in, is authenticated, and is redirected by the identity provider back to the Workspace ONE Access service with a SAML assertion. The attributes in the SAML assertion are used to create the user in the service. Only those attributes that match the user attributes defined in the service are used; other attributes are ignored. The user is also added to groups based on the attributes, and receives the entitlements that are set for those groups.

On subsequent logins, if there are any changes in the SAML assertion, the user is updated in the service.

Just-in-Time provisioned users cannot be deleted. To delete users, you must delete the Just-in-Time directory.

Note that all user management is handled through SAML assertions. You cannot create or update these users directly from the service. Just-in-Time users cannot be synced from Active Directory.

For information about the attributes required in the SAML assertion, see Requirements for SAML Assertions.

Just-in-Time Directory

The third-party identity provider must have a Just-in-Time directory associated with it in the service.

When you first enable Just-in-Time provisioning for an identity provider, you create a new Just-in-Time directory and specify one or more domains for it. Users belonging to those domains are provisioned to the directory. If multiple domains are configured for the directory, SAML assertions must include a domain attribute. If a single domain is configured for the directory, a domain attribute is not required in SAML assertions but if specified, its value must match the domain name.

Only one directory, of type Just-in-Time, can be associated with an identity provider that has Just-in-Time provisioning enabled.