When Just-in-Time user provisioning is enabled for a third-party identity provider, users are created or updated in the Workspace ONE Access service during login based on SAML assertions. SAML assertions sent by the identity provider must contain certain attributes.
- The SAML assertion must include the
- The SAML assertion must include all the user attributes that are marked as required in the service.
To view or edit the user attributes in the Workspace ONE Access console, in the Identity & Access Management tab, click Setup and then click User Attributes.Important: Ensure that the keys in the SAML assertion match the attribute names exactly, including the case.
- If you are configuring multiple domains for the Just-in-Time directory, the SAML assertion must include the
domainattribute. The value of the attribute must match one of the domains configured for the directory. If the value does not match or a domain is not specified, login fails.
- If you are configuring a single domain for the Just-in-Time directory, specifying the
domainattribute in the SAML assertion is optional.
If you specify the
domainattribute, ensure its value matches the domain configured for the directory. If the SAML assertion does not contain a domain attribute, the user is associated with the domain that is configured for the directory
- If you want to allow user name updates, include the
ExternalIdattribute in the SAML assertion. The user is identified by the
ExternalId. If, on a subsequent login, the SAML assertion contains a different user name, the user is still identified correctly, log in succeeds, and the user name is updated in the Workspace ONE Access service.
Attributes from the SAML assertion are used to create or update users as follows.
- Attributes that are required or optional in the Workspace ONE Access service (as listed in the User Attributes page) are used.
- Attributes that do not match any attributes in the User Attributes page are ignored.
- Attributes without a value are ignored.