1. Administrator Guide for Setting Up Identity Federation with Just-In-Time Provisioning (JIT) in OCI IAM Identity Domains
  2. Steps to Configure Identity Federation in OCI IAM Identity Domains with Just-In-Time Provisioning
  3. Step 5: Configuring Just In Time Provisioning in OCI IAM Identity Domains

Step 5: Configuring Just In Time Provisioning in OCI IAM Identity Domains

  1. In the Identity Provider just created, click Configure JIT.

  2. On the Configure Just-in-time (JIT) provisioning page:

    1. Select Enable Just-In-Time (JIT) provisioning.

    2. Select Create a new identity domain user.

    3. Select Update the existing identity domain user.


    This image shows the Configure JIT provisioning page options.

  3. Under Map user attributes, provide the IdP user attribute name per the mapping below:

    Table 1-2 SAML User Attributes

    SAML User Attribute Type SAML User Attribute Name IAM Domain User Attribute Mandatory Attribute

    Attribute

    oc_userid

    userName

    Yes

    Attribute

    oc_surname

    familyName

    Yes

    Attribute

    oc_emailaddress

    emails[primary eq true and type eq "work"].value

    Yes. However, if the IAM Domain setting is set to make the primary email address not required, then email address is not a mandatory attribute in the mapping.

    Attribute

    oc_givenname

    givenName

    No

    Attribute

    oc_preferredlanguage

    Preferred Language

    No

    Attribute

    oc_primaryworklocation

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_PrimaryWorkLocation

    Yes

    Attribute

    #upper($(assertion.oc_ownercode))

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_UserOwnerCode

    No

    Attribute

    oc_employeenumber

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_UserEmployeeNo

    No

    Attribute

    oc_telephonenumber

    phoneNumbers[type eq "mobile"].value

    No

    Attribute

    oc_title

    Title

    No

    Attribute

    oc_displayname

    displayName

    No

    Attribute

    oc_usertype

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_UserType

    No

    Attribute

    oc_orgcode

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_Department

    No

    Attribute

    oc_workphonenumber

    phoneNumbers[type eq "work"].value

    No

    Attribute

    oc_userinitial

    name.honorificPrefix

    No

    Attribute

    oc_middlename

    name.middleName

    No

    Attribute

    oc_honorificsuffix

    urn:ietf:params:scim:schemas:core:2.0:User:name.honorificSuffix

    No

    Attribute

    oc_timezone

    urn:ietf:params:scim:schemas:core:2.0:User:timezone

    No

    Attribute

    oc_locale

    urn:ietf:params:scim:schemas:core:2.0:User:locale

    No

    This image shows the attribute mappings.

    Note:

    Ensure the mapping for the required user attributes (highlighted in the above image) are added before you save your changes. The remaining attributes can be added through the Postman in Step 7.

  4. Select Assign group mapping.

  5. Apply the changes as shown in the image below:


    This image shows the options you need to apply. The Assign group mapping, Assign implicit group membership mappings, Replace existing group memberships, and Ignore the missing group options must all be selected.

  6. Click Save changes.

Parent topic: Steps to Configure Identity Federation in OCI IAM Identity Domains with Just-In-Time Provisioning