Just-in-Time provisioning provides another way of provisioning users in the Workspace ONE Access service. Instead of syncing users from an Active Directory or other LDAP directory instance, with Just-in-Time provisioning users are created and updated dynamically when they log in through SAML SSO or OpenID Connect SSO.

Note: This feature is not available for a Workspace ONE Access tenant that has VMware Identity Services enabled. See the Unsupported Workspace ONE Features topic in the Configuring User Provisioning and Identity Federation with VMware Identity Services guide.
Note: An OpenID Connect identity provider only can be configured for Workspace ONE Access cloud tenants.

In this scenario, Workspace ONE Access acts as the service provider (SP).

Just-in-Time configuration can only be configured for third-party identity providers. It is not available for the connector. The third-party identity provider manages all user creation and management either through SAML assertions or OpenID Connect claims.

Just-in-Time Directory

The third-party identity provider must have a Just-in-Time directory associated with it in the service.

When you enable Just-in-Time provisioning for an identity provider, you create a Just-in-Time directory and specify one or more domains for it. Users belonging to those domains are provisioned to the directory. If multiple domains are configured for the directory, a domain attribute must be included in the configuration. If a single domain is configured for the directory, a domain attribute is not required, but if specified, its value must match the domain name.

Only one directory, of type Just-in-Time, can be associated with an identity provider that has Just-in-Time provisioning enabled.

User Creation and Management

If Just-in-Time user provisioning is enabled, when a user goes to the Workspace ONE Access service login page and selects a domain, the page redirects the user to the correct identity provider. The user logs in, is authenticated, and the identity provider redirects the user back to the Workspace ONE Access service. The data required to provision the user is in the SSO response and is used to create the user in the Workspace ONE Access service. Only the data for the user attributes that are mapped in the Workspace ONE Access directory are used to provision the user. The user is also added to groups based on the attributes and receives the entitlements that are set for those groups.

On subsequent logins, if there are any changes in user data, the user data is updated in the service.

Just-in-Time provisioned users cannot be deleted. To delete users, you must delete the Just-in-Time directory.

All user management is handled through the identity provider response. You cannot create or update these users directly from the service. Just-in-Time users cannot be synced from Active Directory or other LDAP directories.