Loading

Understanding Just-in-Time provisioning for SAML Single Sign On

Fecha de publicación: Oct 4, 2024
Descripción

Guidelines for Just-in-Time (JIT) provisioning

NOTE: This article is applicable to standard JIT Provisioning for SAML SSO. For custom configurations where Apex code implements the SamlJitHandler Interface, step 1 applies by default and steps 2-7 can be handled by the Apex code.

1.  Salesforce attempts to match the Federated ID in the subject of the SAML assertion (e.g. 12345) to the FederationIdentifier field of a existing user record. 
2.  If a matching user record is found, JIT provisioning uses the attributes to Update the fields specified in the attributes. 
3.  If a user with a matching user record isn't found, then Salesforce searches the contact for a match based on Contact ID (User.Contact) or email (Contact.Email).
Contact.Email and Contact.LastName are both required properties when User.Contact is not specified. But matching is only based on Contact.Email when both properties exist.
4.  If a matching contact record is found, JIT provisioning uses the attributes to Update the contact fields specified in the attributes and then Inserts the new User record
5.  If a matching contact record isn't found, then Salesforce searches for the Accounts for a match based on Contact.Account or Account.AccountNumber.
Account.AccountNumber and Account.Name are both required properties when Contact.Account is not specified. But matching is only based on Account.AccountNumber when both properties exist.
6.  If a matching account record is found, JIT provision Inserts a new contact record and Inserts a new User record based on the attributes provided.
7.  If a matching account record isn't found,  JIT provision Inserts a new account record, Inserts a new contact record, and Inserts a new User record based on the attributes provided.
Please refer the below examples as well and their results in different scenarios.

 

Example 1: 
User records exist: Contact fields (eg LastName, Email) and User fields (eg Email, LastName, etc) are updated
User record does not exist, but contact record does: SFDC matches contact based on LastName and Email.New user record inserted.
User record and contact record do not exist: New contact and user records are inserted.		 
Contact.Account=00130000011Qx7i;
Contact.LastName=PortalUser; Contact.Email=testPortal1@test.com;
User.ProfileId=00e30000000wAhX;
User.PortalRole=Worker;
User.Username=testPortal1@test.com;
User.Email=testPortal1@test.com;
User.LastName=PortalUser;




In the above example, we can create new portal users and contacts given a hardcoded Account id. So, what if you don't know the id for the Account? Then you can search for it using the Account's Name and Account Number.


Example 2:
User record exists: Account fields (eg Name, Owner), Contact fields (eg LastName, Email), and User fields (eg Email, LastName, etc) are updated
User record does not exist, but contact record does: SFDC matches contact based on LastName and Email. Account fields (eg Name, Owner) areupdated. New user record inserted.
User record and contact record do not exist: SFDC matches account based on AccountNumber and Name. New contact and user records are inserted.
User record, contact record, and account record do not exist: New account, contact, and user records are inserted.		

Account.AccountNumber=9999;
Account.Name=TestCompany;
Account.Owner=005J0000000yvS0;
Contact.LastName=PortalUser2;
Contact.Email=testPortal2@test.com;
User.ProfileId=00eU0000000ZLQe;
User.PortalRole=Worker;
User.Username=testPortal2@test.com;
User.Email=testPortal2@test.com;
User.LastName=PortalUser2;
















Note that in the above example, an owner Id is required to create a new account record.
Now what if you don't want JIT provisioning to create new account records or you don't have Account details in your IDP. Then you can leave out the account attributes altogether.


Example 3:
User record exists: Contact fields (eg LastName, Email), and User fields (eg Email, LastName, etc) are updated
User record does not exist, but contact record does: SFDC matches contact based on LastName and Email. New user record inserted.
User record and contact record do not exist: SFDC matches account based on AccountNumber and Name. New contact and user records are inserted.
User record, contact record, and account record do not exist: Process does not insert any new records because an account is needed to create a contact and portal user record.
 		

Contact.LastName=PortalUser3;
Contact.Email=testPortal3@test.com;
User.ProfileId=00e30000000wAhX;
User.PortalRole=Worker;
User.Username=testPortal3@test.com;
User.Email=testPortal3@test.com;
User.LastName=PortalUser3;










The examples above show only the minimum attributes required. However, you can include additional attributes which correspond to standard fields on the User, Contact, and Account records. 

References:
Single Sign-On Implementation Guide
JIT Provisioning Requirements and SAML Assertion Fields
Just-in-Time Provisioning and SAML Assertion Fields for Portals 
Número del artículo de conocimiento
000385744
 
Cargando
Salesforce Help | Article