Configure Just-in-Time (JIT) user provisioning

# Configure Just-in-Time (JIT) user provisioning

This guide explains the concept of Just-In-Time user provisioning, why and when to use it, and also the instructions for configuring it.

# How JIT provisioning works

Just-in-Time (JIT) user provisioning is a method used to store a user's identity and user claims in the Asgardeo user store when the user is authenticated through an external identity provider (IdP).

The flow of JIT user provisioning is as follows:

  1. When an application initiates an authentication request, the user gets redirected to Asgardeo.

  2. If the user has used an external identity provider for authentication, Asgardeo redirects the user to the selected external IdP.

  3. Asgardeo receives a positive authentication response from the external IdP with the user information.

  4. JIT provisioning is triggered and Asgardeo creates a user account in its internal user store along with the user claims obtained from the authentication response.

How JIT user provisioning works

With this process, new user accounts are automatically provisioned to Asgardeo through external IdPs.

# Prerequisites

First, the external IdP should be registered in Asgardeo as a connection.

Learn more about how to enable login to your application using the following external IdPs:

# Enable/Disable JIT user provisioning

To enable/disable JIT user provisioning for an external Identity provider:

  1. On the Asgardeo Console, click Connections and select the relevant IdP.

  2. Go to the Advanced tab of the selected IdP.

  3. JIT provisioning is enabled by default. You can uncheck the Just-in-Time (JIT) User Provisioning checkbox to disable it. JIT user provisioning configuration is enabled

  4. Click Update to save.

  • When JIT is enabled, Asgardeo will create a user profile and store the user attributes recieved from the external IdP.
  • When JIT is disabled, a user profile is not created. Therefore, there is no location to store the attributes of the user. In such cases, the attributes are directly passed to the application.

If you have configured multi-factor authentication (MFA), disabling JIT user provisioning might break the application login flow. Learn more about troubleshooting sign-in flow errors with JIT.

# Troubleshoot sign-in flow errors

If you have disabled JIT provisioning for an IdP, you need to validate its effect on your applications that use multi-factor authentication. This is because certain MFA mechanisms (such as TOTP and EmailOTP) require the login users to have local accounts in Asgardeo. Therefore, the application’s sign-in flow involving JIT-disabled IdPs and the MFA options will break by default.

In such scenarios, you will see the following warning in the application’s sign-in flow:

MFA based Sign-in flow with JIT user provisioning

To avoid such errors, you can use one of the following options:

  • Conditionally skip MFA

    You can skip MFA for external connections during the login flow by using the following example script:

    var localAuthenticator = 'LOCAL';
    var onLoginRequest = function (context) {
        executeStep(1, {
            onSuccess: function (context) {
                var step = context.steps[1];
                if (step.idp == localAuthenticator) {
                    executeStep(2); // MFA Step

    For more information on this script, refer the sign-in option based conditional authentication script.