How Just‑In‑Time (JIT) User Provisioning Works

Just‑In‑Time (JIT) User Provisioning controls what happens when a user attempts to sign in to Foundry using single sign‑on (SSO).

When a user signs in through SSO, Foundry checks whether that user already exists in the system.

What happens during SSO sign‑in

If the user already exists in Foundry

• The user is signed in as their existing account

If the user does not exist in Foundry

One of two outcomes occurs:

• JIT is not enabled (default behavior)

  • The user sees an error message and cannot sign in

• JIT is enabled

  • The user is automatically created in Foundry
  • The user is immediately signed in using théthe newly created account

How JIT provisioning creates users

When ComplyEQ enables JIT for your account, administrators can configure JIT in their identity provider by:

• Enabling Allow registration during SSO
• Defining default user values
• Mapping SAML attributes to Foundry user properties

When a new user signs in through SSO, Foundry creates the user using the values provided in the SAML response attributes.

When to use JIT provisioning

JIT provisioning is useful when:

• Users should be created automatically at first sign‑in
• You don’t want to pre‑upload all users
• User data is managed primarily through your identity provider

If JIT is not enabled, all users must already exist in Foundry before they can sign in.

Learn how to set up JIT

For step‑by‑step configuration instructions, see Set Up Just‑In‑Time User Provisioning.