JIT provisioning: what is JIT provisioning in SaaS authentication?
JIT provisioning: what is it?
If you set up single sign-on (SSO) in business software, you may receive a valid SSO login for a user you've never seen before. For example, if your customer is Apple, you may one day receive a steve.jobs@apple.com login from Apple's corporate identity provider.
The standard, expected behavior is that you immediately create a new account for steve.jobs@apple.com if one doesn't exist. That's the established convention in business software.
We call that new account creation "Just-in-time (JIT) Provisioning".
Not that complex, right? Kind of annoying that we have so much jargon in this business.
Related ideas
Identity providers vs. service providers
There's a lot of jargon to navigate if you're just trying to make sense of how auth works in business software. I highly recommend that you start here, with my explanation of the differences between identity providers (IDPs) and service providers (SPs).
What is single sign-on (SSO)?
Once you have a good handle on IDPs and SPs, I suggest giving a quick glance to A Gentle Introduction to SAML. It's an article I wrote a long time ago that aims to do two things:
- Provide a little bit of context and motivation for single sign-on in business software.
- Explain in minimally technical terms how the most common protocol (called SAML) for single sign-on actually works.
What is SCIM provisioning?
You probably also want some context on what programmatic, bulk provisioning from corporate identity providers looks like. In nearly all cases, that behavior will rely on a protocol called SCIM. I wrote a relatively straightforward SCIM explainer a while back. I encourage you to take a quick look.
JIT provisioning vs. SCIM provisioning
Once you have a reasonably good handle on SCIM provisioning, you may wonder why we have JIT provisioning. After all, it seems like they have kind of redundant functions.
There are pretty much two reasons why this is totally fine:
-
Not everyone uses both protocols! In particular, it's very common for people to use SAML without using SCIM. JIT provisioning makes it possible for an identity provider to add new users to the service provider without manual intervention.
-
SCIM doesn't typically provide real-time updates. There's often a lag between a change happening in the identity provider and that change getting pushed into the service provider. That creates a little bit of a weird window during which a user should be able to log in -- but during which the service provider hasn't gotten an update from the identity provider.
Corporate identity providers are also usually smart enough pieces of software that they won't send you conflicting SAML / SCIM claims. The data generally draws from the same store of user data.
On this topic, you may find this article helpful -- SAML vs. SCIM: What's the Difference?
Tesseral makes JIT provisioning easy
If you feel like all of this arcane stuff is overwhelming, you're not alone. Most software developers have a bit of a visceral reaction to the avalanche of user management and auth stuff that they have to manage.
Enterprises really will make your codebase complicated.
If you're looking for clean way to abstract away user management and authentication in a B2B application, you should consider Tesseral. Tesseral is the only open source auth service designed specifically for B2B applications. Because it's narrowly focused, Tesseral can deliver highly sophisticated functionality like SAML, SCIM, RBAC, and more -- without requiring extra work from you.
If you want to try Tesseral, you can sign up for a free account to start exploring. You can also book time on my calendar to learn more.
