You can configure Just-in-Time (JIT) provisioning to support adding users without syncing from your Active Directory.

To support Just-in-Time provisioning, you must add a third party identity provider and then configure a connection to it within your vRealize Automation deployment to integrate Directories Management with other SSO providers via a SAML protocol. In addition, you must create a new directory with the appropriate name, such as JIT Directory.

When you enable Just-in-Time provisioning, you can add Just-in-Time users to a designated custom group. To support this functionality, create a custom group with the appropriate members. See Add Just-in-Time Users with Custom Groups and Rules.

Note: As a best practice, do not configure Just-in-Time provisioning on the default vsphere.local tenant.


Configure an appropriate third party identity provider for use with JIT provisioning.


  1. Create an identity provider for Just-in-Time provisioning.
    1. Select Administration > Directories management > Identity Providers
    2. Click Add Identity Provider and edit the identity provider instance settings as appropriate.
      • For just in time provisioning, create a third party identity provider.
      • In the Create Just-in-Time Directory section, enter names for the directory and one or more domains.
      • You must select a network for the third party identity provider configuration.
      • If you are using an external VMware Identity Manager as your third party identity provider, and you are using userPrincipleName to authenticate users, you must change the Name ID mapping configuration for userPrincipleName from the default of x509SubjectName to unspecified.

      See Configure a Third Party Identity Provider Connection for more information about creating identity providers.

  2. Configure SAML on the Just-in-Time identity provider.
    1. Copy IdP metadata from your identity provider.
    2. In vRealize Automation, select your identity provider and paste the IdP metadata into the Identity Provider Metadata (URL or XML) text box.
    3. Click Save.
    4. In the Name ID policy in SAML Request (Optional) drop-down menu, select the appropriate format.
      For example, if you are using the emal address as the unique user identifier, you would select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    5. Select the appropriate directory under the Users heading.
    6. Select the networks for use by this identity provider under the Network heading.
    7. Specify an appropriate name in the Authentication Methods text box.
    8. In the SAML Context drop down, select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    9. Right-click the Service Provider (SP) Metadata link, and open it in a separate browser tab.
    10. Use this metadata to configure the SAML connection on your identity provider.
    If you are using VMware Identity Manager see the VMware Identity Manager documentation for complete instructions on configuring SAML.
  3. Click Add.
    The new directory is created using the Directory Name provided.
  4. Configure the vRealize Automation Access Policy.
    1. Select Administration > Policies.
    2. Click the green + icon at the top right of the policy rules table.
    3. Set the policy rule to apply to applicable ranges and device types.
    4. Select the authentication method that you created when configuring the third party identity provider for JIT provisioning for the authentication method.