Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

Just-In-Time User Provisioning: Frequently Asked Questions

Can SAML assertion attributes set categories and labels?

No. Custom Categories and Labels cannot be set during SAML SSO user creation.

When a user is created in Foundry through SAML SSO (Just‑In‑Time provisioning), Categories and Labels must already exist and be applied after the user is created.

For some implementations, custom demographic fields may be included in a SAML assertion and mapped to Foundry user demographics, but Categories and Labels are not supported during SSO‑based user creation.

Setting user type and role during SAML SSO user creation

During SAML SSO user creation, Foundry uses default values defined in the identity provider configuration. These defaults can be overridden through attribute mapping.

User type
  • A default User Type is defined in the Foundry IdP configuration
  • This default can be overridden by mapping a SAML attribute to the User Type field
User role
  • The Foundry IdP configuration also defines a default User Role associated with the selected User Type
  • Supported roles are:
    • Supervisor
    • Non‑Supervisor

If the User Type is overridden through the SAML assertion, the assertion must also provide a valid role that belongs to that User Type. If a role is missing or invalid, user creation will fail.

When does SAML SSO user creation make sense?

In most cases, if your organization has a known and relatively stable user population, it’s recommended to create users in Foundry ahead of time and assign training directly. In these scenarios, automatic user creation during SSO is usually unnecessary.

SAML SSO user creation is more useful when:

  • Users access training on demand
  • You do not know the full list of users in advance
  • Users are expected to authenticate and register themselves through SSO

Important limitations of SSO‑based user creation

When users are created during SAML SSO:

  • Categories and Labels cannot be assigned
  • Users may not meet assignment criteria that depend on Categories or Labels
  • Assignments that rely on Categories or Labels will not automatically include these users

If your training strategy depends on assigning courses based on Custom Categories or Labels, SSO‑based user creation may not be appropriate without an additional post‑creation process.