Understand SAML Just-In-Time Provisioning

SAML Just-In-Time (JIT) Provisioning automates user account creation when the user first tries to perform SSO and the user doesn't yet exist in Oracle Identity Cloud Service. In addition to automatic user creation, JIT allows granting and revoking group memberships as part of provisioning. JIT can be configured to update provisioned users so the users’ attributes in the Service Provider (SP) store can be kept in sync with the Identity Provider (IDP) user store attributes.


Enable SAML Just-In-Time Provisioning. Oracle must enable this feature for you. To learn about the features that Oracle must enable for you and how to enable them, see Standard License Tier Features for Oracle Identity Cloud Service.


The advantages of JIT are:
  • The footprint of user accounts in Oracle Identity Cloud Service is limited to those users who actually log in via federated SSO, rather than all users in the Identity Provider user directory.
  • Reduced administrative costs as accounts are created on demand as part of the SSO process and the Identity Provider and Service Provider user stores don't have to be synchronized manually.
  • Any new users added later to the Identity Provider user store won't require administrators to create corresponding Service Provider accounts manually (users will always be in sync).

How It Works

There are four runtime flows for JIT Provisioning:
When Signing In, The User: Flow
Exists and JIT Provisioning is enabled. Normal SSO flow.
Doesn't exist and JIT Provisioning is not enabled. Normal SSO failure flow.
Doesn't exist and JIT creation is enabled. User is created, and populated with the SAML assertion attributes, as mapped in the JIT configuration.
Exists and JIT update is enabled. User attribute values are updated with the SAML assertion attributes, as mapped in the JIT configuration.
SAML JIT Provisioning can be configured only by using the /admin/v1/IdentityProviders REST API endpoint. See the following references to configure SAML JIT Provisioning: