Just-in-Time Provisioning for SAML

With JIT provisioning, an identity provider passes user information to Salesforce in a SAML 2.0 assertion, which is processed by an Apex JIT handler class. The JIT handler does the heavy lifting of creating and updating user accounts. To let Salesforce manage the JIT handler for you, configure standard JIT provisioning. If you want more control, configure JIT provisioning with a custom handler. For more information on custom Apex handlers, see SamlJitHandler Interface in the Apex Reference Guide.

Note When users are created via JIT-provisioning, their email addresses aren’t automatically verified. Starting in Spring ’24, single sign-on (SSO) users can’t send emails from Salesforce unless they have a verified email address. If your JIT-provisioned users need email-send functionality, verify their email addresses manually. To learn how, see User Email Verification.

• Enable Just-in-Time Provisioning
  Enable Just-in-Time (JIT) provisioning in Salesforce to automatically create or update user accounts when users first log in to Salesforce with SAML single sign-on (SSO).
• Edit the SAML Just-in-Time Handler
  Finish the custom SAML Just-in-Time (JIT) configuration process by editing the Apex provisioning handler class. You can customize the way Salesforce provisions users when they log in to Salesforce with SAML single sign-on (SSO) for the first time.
• Just-in-Time SAML Assertion Fields for Salesforce
  With Just-in-Time (JIT) provisioning, the identity provider sends user information to your Salesforce org in an Attributes statement in a SAML assertion. Work with your identity provider to determine which user information you want to pass to your org and that the Attributes statement is formatted correctly.
• Just-in-Time SAML Assertion Fields for Experience Cloud
  With Just-in-Time (JIT) provisioning for Experience Cloud, you can use a SAML assertion to create Experience Cloud site users the first time they log in from an identity provider. The identity provider sends user information to your Salesforce org in an Attributes statement in a SAML assertion. Work with your identity provider to determine which user information you want to pass to your org and that the Attributes statement is formatted correctly.
• Just-in-Time SAML Assertion Fields for Portals
  With Just-in-Time (JIT) provisioning for portals, you can use a SAML assertion to create customer and partner portal users the first time they log in from an identity provider. Customer portals and partner portals aren’t available for new Salesforce orgs as of Summer ’13. Use JIT provisioning with Experience Cloud instead.
• Just-in-Time Provisioning Errors
  Error codes, descriptions, and details for SAML Just-in-Time (JIT) provisioning are returned in the URL parameters.