Skip to content

Configure Just-in-Time user provisioning

This guide explains the concept of Just-In-Time (JIT) user provisioning, why and when to use it, and also the instructions for configuring it.

How JIT provisioning works

Just-in-Time (JIT) user provisioning is a method used to store a user's identity and user attributes in the Asgardeo user store when the user logs in with an external identity provider (IdP)

The flow of JIT user provisioning is as follows:

  1. When an application initiates an authentication request, the user gets redirected to Asgardeo.

  2. If the user selects an external IdP for authentication, Asgardeo redirects the user to the relevant IdP.

  3. If Asgardeo receives a positive authentication response from the external IdP, JIT provisioning is triggered.

  4. Asgardeo creates a user account in its internal user store along with the user attributes obtained from the authentication response.

How JIT user provisioning works

With this process, new user accounts are automatically provisioned to Asgardeo when users log in with external IdPs.

Enable/Disable JIT user provisioning


Register the external IdP as a connection in Asgardeo.

To enable/disable JIT user provisioning for an external Identity provider:

  1. On the Asgardeo Console, click Connections and select the relevant connection.

  2. Go to the Just-in-Time Provisioning tab of the selected connection.

  3. Check/Uncheck the Just-in-Time (JIT) User Provisioning checkbox to enable/disable it.

    JIT user provisioning configuration is enabled

  4. Click Update to save.


  • When JIT is enabled, Asgardeo updates the existing local account created with the same email address or if a new user, creates a user profile with the user attributes received from the external IdP.
  • When JIT is disabled, a user profile is not created. Therefore, there is no location to store the attributes of the user. In such cases, the attributes are directly passed to the application.


If you have configured multi-factor authentication (MFA), disabling JIT user provisioning might break the application login flow. Learn more about troubleshooting sign-in flow errors with JIT.

Troubleshoot sign-in flow errors

If you have disabled JIT provisioning for an IdP, applications that use multi-factor authentication may break as certain MFA mechanisms (such as TOTP and Email OTP) require users to have local accounts in Asgardeo.

When configuring an application's sign-in flow involving JIT-disabled IdPs and such MFA options, Asgardeo displays the following warning:

MFA based Sign-in flow with JIT user provisioning

To avoid unexpected errors, you can use the following conditional authentication script to skip the MFA step when using JIT-disabled connectors.

var localAuthenticator = 'LOCAL';
var onLoginRequest = function (context) {
    executeStep(1, {
        onSuccess: function (context) {
            var step = context.steps[1];
            if (step.idp == localAuthenticator) {
                executeStep(2); // MFA Step


For more information on this script, refer to the sign-in option-based conditional authentication script.