Adding a Just-in-Time SAML IdP

You can set up a SAML IdP that uses just-in-time (JIT) provisioning.

  1. Navigate to the identity domain: Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Security and then Identity providers.
  3. Select an identity provider, and then click Configure JIT.
  4. Select Enable Just-in-Time (JIT) provisioning.
  5. Select one of the following:
    • Create new identity domain user: Create an identity user in the identity domain, if the user does not exist when logging in with the identity provider.
    • Update existing identity domain user: Merge and overwrite identity domain user account data from the mapped identity provider. The existing data is overwritten by the user data from the identity provider.

    JIT will not be enabled if you do not select one of these two options.
  6. In the field Map user attributes, map a user account from the identity provider to a user account from the identity domain.
    1. Click IdP user attribute type.
      • If you select Attribute, then enter the identity provider user attribute name.
      • If you selected NameID, you do not need to enter the identity provider user attribute name.
    2. Select the identity domain user attribute.
    3. (Optional) Add more identity domain attributes.
  7. Click Assign group mapping to enable group mapping. If you enable group mapping, you must include the Group membership attribute name.
  8. To import the group settings, select one of the following:
    • Define explicit group mapping: This option requires you to provide the group name to map between the identity provider and identity domain.
    • Assign implicit group mapping: This option maps an identity provider group to an identity domain group that has the same exact name.
    1. If you select explicit grouping: enter the IdP group name and select an available Identity domain group name.
    2. If you select implicit grouping, you do not need to map an identity provider group name or identity domain group name.
  9. (Optional) Click Assign domain group memberships to assign group memberships from the identity domain.
    1. Click Add group.
    2. Select the groups that you want to add, and then click Add groups.
  10. Select one of the following from Assignment rules:
    • Merge with existing group memberships
    • Replace existing group memberships
  11. In the field When a group is not found....
    • Ignore the missing group: The user successfully signs in.
    • Fail the entire request: The sign in attempt fails.
  12. Click Save changes.