Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Enable Just-in-Time Provisioning

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Enable Just-in-Time Provisioning

            Enable Just-in-Time (JIT) provisioning in Salesforce to automatically create or update user accounts when users first log in to Salesforce with SAML single sign-on (SSO).

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: All Editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Modify All Data

            Before you can enable JIT provisioning, configure SAML SSO with Salesforce as a service provider.

            Enable JIT in Salesforce Setup.

            1. In Setup, in the Quick Find box, enter Single Sign-On Settings, and then select Single Sign-On Settings.
            2. For the SAML Single Sign-On Settings that you want to enable JIT, select Edit .
            3. In SAML Single Sign-On Settings, select User Provisioning Enabled in the Just-in-time User Provisioning section.
            4. Select a User Provisioning Type.
              • Standard—Provisions users automatically using attributes in the SAML assertion.
              • Custom SAML JIT with Apex handler—Provisions users based on logic in an Apex class.
                Note
                Note If you’re using Professional Edition, you can enable Standard JIT provisioning only.
            5. If you selected Standard, save your changes, and then test the SSO connection. If you selected Custom SAML JIT with Apex handler, go to the next step.
            6. For SAML JIT Handler, select an existing Apex class as the SAML JIT handler class.

              This class must implement the SamlJitHandler interface. If you don’t have an Apex class, you can generate one by clicking Automatically create a SAML JIT handler template. Edit this class, and modify the default content before you use it. For more information, see Edit the Just-in-Time Handler.

            7. For Execute Handler As, select the user that runs the Apex class. The user must have the Manage Users permission.
            8. For SAML Identity Type, select Assertion contains the Federation ID from the User object. If your identity provider previously used the Salesforce username, tell them to use the Federation ID. JIT provisioning requires a Federation ID as the user type.
            9. Save your changes.

            After enabling JIT, edit the SAML JIT handler Apex class if you configured a Custom SAML JIT with Apex handler, then test your SSO connection.

            If you configured a Standard JIT User Provisioning Type, test your SSO connection by trying to access the identity provider’s application. Your identity provider directs the user’s browser to POST a form containing SAML assertions to the Salesforce login page. Each assertion is verified, and if successful, users can log in with SSO.

            Note
            Note Only one signature is required in your SAML settings, on either the response or the assertion. But if both signatures are present, Salesforce validates them both.

            If you have difficulty using SSO, use the SAML Assertion Validator.

            If your users have problems using SSO, review the SAML login history to determine the problem, and share what you find with your identity provider.

            If you’re using SAML version 2.0, the OAuth 2.0 Token Endpoint field is populated after you configure SAML. Use the token with the OAuth 2.0 Web Server Flow.

             
            Loading
            Salesforce Help | Article