Requirements to Use SAML Assertions for Just-in-Time Provisioning in Workspace ONE Access

When Just-in-Time user provisioning is enabled for a SAML third-party identity provider, users are created or updated in the Workspace ONE Access service during login based on SAML assertions. SAML assertions sent by the identity provider must contain certain attributes.

The SAML assertion must include the userName attribute.
The SAML assertion must include all the attributes that are marked as required in the User Attributes page in the Workspace ONE Access service.
To view or edit the user attributes in the Workspace ONE Access console, in the Identity & Access Management tab, click Setup and then click User Attributes.

Important: Ensure that the keys in the SAML assertion match the attribute names exactly, including the case.
If you are configuring multiple domains for the Just-in-Time directory, the SAML assertion must include the domain attribute. The value of the attribute must match one of the domains configured for the directory. If the value does not match or a domain is not specified, login fails.
If you are configuring a single domain for the Just-in-Time directory, specifying the domain attribute in the SAML assertion is optional.
If you specify the domain attribute, ensure that its value matches the domain configured for the directory. If the SAML assertion does not contain a domain attribute, the user is associated with the domain that is configured for the directory.
If you want user name changes to be updated, include the ExternalId attribute in the SAML assertion. The user is identified by the ExternalId. If on a subsequent login, the SAML assertion contains a different user name, the user is still identified correctly, login succeeds, and the user name is updated in the Workspace ONE Access service.

Attributes from the SAML assertion are used to create or update users as follows.

Attributes that are listed as required or optional in the User Attribute page in the Workspace ONE Access service are used.
SAML attributes that do not match any attributes in the User Attributes page are ignored.
SAML attributes without a value are ignored.