When Just-in-Time user provisioning is enabled for a SAML third-party identity provider, users are created or updated in the Workspace ONE Access service during login based on SAML assertions. SAML assertions sent by the identity provider must contain certain attributes.
- The SAML assertion must include the
- The SAML assertion must include all the attributes that are marked as required in the User Attributes page in the Workspace ONE Access service.
You can view the user attributes in the admin consolepage.Important: Ensure that the keys in the SAML assertion match the attribute names exactly, including the case.
- If you are configuring multiple domains for the Just-in-Time directory, the SAML assertion must include the
domainattribute. The value of the attribute must match one of the domains configured for the directory. If the value does not match or a domain is not specified, login fails.
- If you are configuring a single domain for the Just-in-Time directory, specifying the
domainattribute in the SAML assertion is optional.
If you specify the
domainattribute, ensure that its value matches the domain configured for the directory. If the SAML assertion does not contain a domain attribute, the user is associated with the domain that is configured for the directory.
- If you want user name changes to be updated, include the
ExternalIdattribute in the SAML assertion. The user is identified by the
ExternalId. If on a subsequent login, the SAML assertion contains a different user name, the user is still identified correctly, login succeeds, and the user name is updated in the Workspace ONE Access service.
Attributes from the SAML assertion are used to create or update users as follows.
- Attributes that are listed as required or optional in the User Attribute page in the Workspace ONE Access service are used.
- SAML attributes that do not match any attributes in the User Attributes page are ignored.
- SAML attributes without a value are ignored.