JIT Provisioning using OpenID Connect
When using the OpenID Connect protocol, the JIT End User Access Provisioning functionality can be activated by enabling the field ‘Allow JIT provisioning’ in the SSO configuration of the 4me account. Once enabled, 4me automatically triggers the JIT End User Access Provisioning for each ID token response from the OpenID Connect provider.
The JIT provisioning will follow these steps:
If the ‘Allow JIT provsioning’ field is not enabled for the SSO configuration of the 4me account go to step 4, else
if the ‘Allow JIT provisioning’ field is enabled, go to step 2
If a person record with the primary email address specified in either the ID token or UserInfo response already exists in 4me, update this person record with the JIT attributes present in the ID token and UserInfo responses and go to step 3, else
if no person record matching the primary email address specified in either the ID token or UserInfo response exists in 4me, generate a new person record with the JIT attributes included in the ID token and UserInfo responses and go to step 3.
Save the person record. If successful, go to step 4, else do not provide access and log an authentication failure in the Authentication Log and include all details (i.e. the validation errors).
Pass the ID token response to the 4me SSO functionality for login.
The following attributes (or claims) can be included in the ID token and UserInfo responses from the IdP to ensure that the corresponding field values are set in the person record of the person who is requesting access to 4me:
- given_name ¹
- family_name ¹
- middle_name ¹
- picture ²
¹ in case the name claim is not present, the name field
in 4me will be set to the concatenation of the given_name, family_name and
² the picture maps onto the avatar field in 4me.
If an attribute is not included in the ID token or UserInfo response from the IdP, and a person record already exists for the primary email address specified in those responses, the corresponding field value of the existing person record does not get updated.
Similarly, if an attribute is not included in either the ID token or UserInfo response from the IdP, and a new person record needs to be generated using the information in those responses, the corresponding field is left blank, with the exception of the following fields:
- name - default value is the value of the email claim (i.e. the primary email of the person record that is being generated)
- locale - default value is the locale (or language) of the 4me account
- time_zone - default value is the time zone of the 4me account
- time_format_24h - default value is the default time format of the language (e.g.
trueif locale is
falseif locale is