User Creation and Management

If Just-in-Time user provisioning is enabled, when a user goes to the Workspace ONE Access service login page and selects a domain, the page redirects the user to the correct identity provider. The user logs in, is authenticated, and is redirected by the identity provider back to the Workspace ONE Access service with a SAML assertion. The attributes in the SAML assertion are used to create the user in the service. Only those attributes that match the user attributes defined in the service are used; other attributes are ignored. The user is also added to groups based on the attributes, and receives the entitlements that are set for those groups.

On subsequent logins, if there are any changes in the SAML assertion, the user is updated in the service.

Just-in-Time provisioned users cannot be deleted. To delete users, you must delete the Just-in-Time directory.

Note that all user management is handled through SAML assertions. You cannot create or update these users directly from the service. Just-in-Time users cannot be synced from Active Directory.

For information about the attributes required in the SAML assertion, see Requirements for SAML Assertions.

Just-in-Time Directory

The third-party identity provider must have a Just-in-Time directory associated with it in the service.

When you first enable Just-in-Time provisioning for an identity provider, you create a new Just-in-Time directory and specify one or more domains for it. Users belonging to those domains are provisioned to the directory. If multiple domains are configured for the directory, SAML assertions must include a domain attribute. If a single domain is configured for the directory, a domain attribute is not required in SAML assertions but if specified, its value must match the domain name.

Only one directory, of type Just-in-Time, can be associated with an identity provider that has Just-in-Time provisioning enabled.