Print this page

How to start with JIT Provisioning in Communities

Knowledge Article Number 000198728
Description The combination of Just In Time (JIT) Provisioning and Communities is relatively new.  We are improving our documentation on the specific requirements in the authentication calls to make this work.  Until then, the following knowledge article should help as  a Quick Start guide.
In order to test and troubleshoot SSO configuration you can use Axiom SSO tool hosted on Heroku.

1. Create a Community and enable self-registration feature. Salesforce documentation: Getting started with communities.
2. Get the Organization id - Setup >> Administrative Setup >> Company Profile >> Company Information.
3. Download the Identity Provider Certificate - Go to Click the link for SAML Identity Provider & Tester. Then, download the Identity Provider Certificate . 
4. Configure Single Sign-on in Salesforce – Go to Setup >> Administrative Setup >> Security Controls >> Single Sign-On Settings. Click the Edit button and then check the SAML Enable.

SAML Single Sign-On Settings
5. Create a New SAML Single Sign-On Setting. Use the following settings to be able to test with AXIOM.
SSO Config
 Name: Give this setting a Name for reference within your organization.
• Issuer: This is often referred to as the entity ID for the identity provider. In this case: Axiom
• Identity Provider Certificate: Upload the Axiom certificate from the previous step 2
 User Provisioning Enabled: True
• Entity id: If your Salesforce organization has domains deployed, specify whether you want to use the base domain ( or the custom domain for the Entity ID. You must share this information with your identity provider.
 SAML User ID Type: Assertion contains the Federation Id from the User object
• SAML User ID Location: User ID is in the NameIdentifier of the Subject Statement
NOTE: Enabling user provisioning requires that the SAML User ID Type be "Assertion contains the Federation ID from the User Object"

6. Generate a SAML Response. Go to and fill in the fields as follows and click “Request SAML Response” button. Many of the values for these fields are found in the SAML Single Sign-On Settings page in your organization.
User-added image
SAML Version: SAML Version: Needs to match version selected in Salesforce SSO settings: 2.0
Username OR Federated ID: unique identifier for community user
User ID Location: Subject
Issuer:  Needs to match issuer name specified in Salesforce SSO settings: Axiom
Recipient URL: This is the Community Login URL from the SAML Single Sign-On Settings detail page in your organization.
The Recipient would look like https://<community_URL>/login?so=<orgID>.
Entity ID: The Entity ID from the SAML Single Sign-On Settings detail page in your organization
SSO Start Page: (default value)
User Type: Standard
JIT Provisioning Attributes 
Contact.Account= 00130000011Qx7i; // existing account ID
User.ProfileId=profileName; //existing profile ID or NAME;
Account.AccountNumber=98523554;//does not exist
Account.Owner=005d0000000rUpH;// require if you have to create an account;//new
JIT Provisioning will require either a valid Account ID(use 15 digit id) or both Account.AccountNumber and Account.Name
a. Salesforce attempts to match the Federated ID in the subject of the SAML assertion (e.g. 12345) to the FederationIdentifier field of an existing user record. 
b. If a matching user record is found, JIT provisioning uses the attributes to update the fields specified in the attributes. 
c. If a user with a matching user record isn't found, then Salesforce searches the contacts for a match based on Contact ID (User.Contact) or email (Contact.Email).
Contact.Email and Contact.LastName are both required properties when User.Contact is not specified. But matching is only based on Contact.Email when both propeties exist.
d. If a matching contact record is found, JIT provisioning uses the attributes to Update the contact fields specified in the attributes and then Inserts the new User record
e. If a matching contact record isn't found, then Salesforce searches for the Accounts for a match based on Contact.Account or AccountNumber and Account Name.
f. If a matching account record is found, JIT provision Inserts a new contact record and Inserts a new User record based on the attributes provided.
g. If a matching account record isn't found,  JIT provision Inserts a new account record, Inserts a new contact record, and Inserts a new User record based on the attributes provided.
7. Generate the SAML Assertion - Click the Request SAML Response button.
8. Login - If everything has been configured correctly and login is successful, you should be directed to the Community home page.


promote demote