This article goes over how to enable and disable JIT provisioning.
Overview of JIT Provisioning
Just-In-Time (JIT) provisioning lets Ironclad automatically create a new user the first time they successfully sign in with SAML/SSO, as long as all of the following are true:
The user can sign in to your IdP (e.g., Okta, Microsoft Entra ID, OneLogin, Google, etc.)
The user is assigned to the Ironclad SAML application in your IdP
The SAML assertion includes the required attributes:
email,firstName, andlastName
When a user is created via JIT, they are added to the Everyone group by default.
Warning: If your IdP assignment is broad (for example, the Ironclad app is assigned to a large security group or Everyone), JIT can result in uninvited users gaining access to Ironclad. For stricter access control, either:
- Narrow which users or groups are assigned to the Ironclad app in your IdP, or
- Disable JIT in Ironclad and provision users via SCIM or manual invites instead
Required SAML Assertion Attributes
At minimum, the SAML assertion should include the following attributes.
Note:
Make sure the SAML assertion name follows the camelCase format.
| Value | Name |
|---|---|
| user.email | |
| user.firstName | firstName |
| user.lastName | lastName |
Update JIT Provisioning in Company Settings
To change the JIT provisioning setting:
Log in to Ironclad as an admin.
Click your profile icon in the top-right corner and select Company Settings.
Navigate to Integrations > SAML.
Click the SAML Configuration tab and select your SAML configuration.
Under Enable Just-In-Time (JIT) Provisioning (optional), do one of the following:
Enable JIT: Select the checkbox.
Disable JIT: Clear the checkbox.
Click Save.