Set Up Just-In-Time User Provisioning
Learn how to configure Just‑In‑Time user provisioning with SSO
Overview
Just‑In‑Time (JIT) user provisioning automatically creates a new user in Foundry the first time they sign in using single sign‑on (SSO). Each time the user signs in again, their profile can be updated based on the information sent by your identity provider (IdP).
In Foundry settings, Allow automatic registration during SSO is the same as enabling JIT provisioning.
Decision Note: When JIT Is (and Isn’t) Recommended
JIT provisioning is best for organizations that want Foundry to create user accounts automatically at first sign‑in instead of managing user creation separately. JIT is recommended only for select organizations and is optional for ComplyEQ clients.
JIT is typically a good fit when:
- You want users to be created automatically the first time they sign in via SSO
- Your IdP can reliably provide the user attributes needed to populate user profiles, such as name and email
JIT is typically not a good fit when:
- You need tight control over who can be created in Foundry, such as requiring all users to be pre‑approved or pre‑loaded
- Your IdP cannot consistently send the required attributes for new users
If you are unsure whether JIT provisioning is appropriate for your implementation, consult your Customer Success Manager for guidance on your specific setup.
Before You Start
SSO setup requires coordination with your IT team to exchange SAML metadata between your IdP and Foundry. This typically includes sharing a metadata file or metadata URL that contains key configuration details.
Still getting set up? See: Set Up Your Identity Provider in Foundry.
Enable JIT Provisioning
Once your account is enabled for this feature:
- Go to Settings > Single sign‑on in the Foundry Admin Portal
- Select Allow automatic registration during SSO to create new users automatically if they don’t already exist in Foundry
- (Optional) Select Suppress Welcome Emails if you do not want users created via SSO to receive a welcome email
Configure Default Settings for New Users
These settings apply only if you selected Allow automatic registration during SSO.
When new users are created during SSO, Foundry assigns default values for:
- Default User Type
- Default User Role
- Default Location (if used)
Defaults apply only to newly created users and do not affect existing users.
Map Required and Optional SAML Attributes
If you enabled automatic registration, you must map the following required attributes:
- First Name
- Last Name
You may also map:
- Location
- User Type
- Role
Optional attributes allow you to override the default values for specific users.
Attribute names are case‑sensitive.
Override Default Values with SAML Attributes
If your SAML assertion includes user attributes, Foundry can use them to override default values for newly created users.
- If you send a Location attribute, provide the Foundry location name (not an ID)
- If you send User Type and Role attributes, ensure they match valid values for your configuration
Behavior for Existing Users
Even if Allow automatic registration during SSO is not enabled, attribute mappings can still be used to update existing users during SSO sign‑in.
If the SAML assertion includes both a User Type and a Role:
- Foundry assigns the type and role combination if the user does not already have it
- If the user already has the type with a different role, Foundry updates the role
- Foundry does not remove existing type and role combinations
Save Your Configuration
When you finish configuring JIT provisioning and attribute mappings, select Save to apply your changes.
Update Existing Users Only (Optional)
You can configure SSO to update existing users without creating new users.
To do this:
- Do not select Allow automatic registration during SSO
- Leave default values empty
- Map only the attributes you want to update during sign‑in
With this configuration, only users who already exist in Foundry are updated during SSO.