When Just-in-Time provisioning is enabled for an OpenID Connect third-party identity provider, users are created in Workspace ONE Access and updated dynamically when they log in, based on the token sent by the identity provider.

The OpenID Connect token must include the following attributes (claims) in the response to Workspace ONE Access.

  • Domain Attribute. If you are configuring multiple domains for the Just-in-Time directory, the OpenID Connect token must include the domain attribute. The value of the attribute must match one of the domains configured for the directory. If the value does not match or a domain is not specified, login fails.
  • The OpenID Connect token must include all the attributes that are marked as required in the User Attributes page in the Workspace ONE Access service.

    You can view or edit the user attributes in the Workspace ONE Access console Settings > User Attributes page.

The required attributes from the User Attributes page are configured in the OpenID Connect configuration under User Attribute Mapping. After successful authentication, attributes from the OpenID Connect scope ID token are used to create or update a JIT user's information.

  • Attributes that are configured on the OpenID Connect identity provider configuration under User Attribute Mapping are used.
  • Attributes that do not match any attributes in the User Attributes page are ignored.
  • Attributes without a value are ignored.