Loading

Understanding Just-in-Time (JIT) Provisioning for SAML Single Sign-On (SSO)

Data pubblicazione: May 16, 2026
Descrizione

This article provides guidelines for Just-in-Time (JIT) provisioning with SAML Single Sign-On (SSO) in Salesforce. JIT provisioning automatically creates or updates Salesforce user records when a user authenticates via SAML SSO for the first time.
Note: This article applies to standard JIT Provisioning for SAML SSO. For custom configurations where Apex code implements the SamlJitHandler Interface, Step 1 below applies by default and Steps 2–7 can be handled by the Apex code.

How JIT Provisioning Works

When a user attempts to log in via SAML SSO, Salesforce follows these steps sequentially:

  1. Salesforce attempts to match the Federated ID in the subject of the SAML assertion (for example, 12345) to the FederationIdentifier field of an existing user record.
  2. If a matching user record is found: JIT provisioning uses the SAML attributes to update the fields specified in the assertion attributes.
  3. If a matching user record is not found: Salesforce searches for a contact based on Contact ID (User.Contact) or email (Contact.Email). Note: Contact.Email and Contact.LastName are both required when User.Contact is not specified. Matching is based on Contact.Email when both properties exist.
  4. If a matching contact record is found: JIT provisioning updates the contact fields specified in the attributes and inserts a new User record.
  5. If a matching contact record is not found: Salesforce searches for an Account based on Contact.Account or Account.AccountNumber. Note: Account.AccountNumber and Account.Name are both required when Contact.Account is not specified. Matching is based on Account.AccountNumber when both exist.
  6. If a matching account record is found: JIT provisioning inserts a new contact record and inserts a new User record.
  7. If no matching account record is found: JIT provisioning inserts a new account record, inserts a new contact record, and inserts a new User record.

 

Risoluzione

To configure JIT provisioning for SAML SSO in Salesforce, ensure your SAML assertion includes the correct attributes for user, contact, and account matching as described in the seven-step process above.
Minimum Required Attributes by Scenario:
Scenario A — Create portal users with a known Account ID:
Include Contact.Account (the Account ID), Contact.LastName, Contact.Email, User.ProfileId, User.PortalRole, User.Username, User.Email, and User.LastName in your SAML assertion. This creates new portal users and contacts linked to a specific hardcoded Account.
Scenario B — Create portal users with Account lookup by Name and Number:
Include Account.AccountNumber, Account.Name, Account.Owner (owner ID required to create a new account), Contact.LastName, Contact.Email, User.ProfileId, User.PortalRole, User.Username, User.Email, and User.LastName. This allows Salesforce to match or create the Account by number and name.
Scenario C — Create portal users without Account creation:
Include Contact.LastName, Contact.Email, User.ProfileId, User.PortalRole, User.Username, User.Email, and User.LastName. Omit all Account attributes. If no matching account or contact record exists, no new records are inserted.
In all scenarios, you can include additional attributes that correspond to standard fields on the User, Contact, and Account records beyond the minimum required set.

Numero articolo Knowledge

000385744

 
Caricamento
Salesforce Help | Article