The problem with manual onboarding in enterprise apps

Ever tried onboarding 50 new hires on a Monday morning only to realize half of them can't even open their email? It's a total nightmare for IT teams, honestly.

Manual provisioning is basically the "old way" where an admin has to go into every single app—slack, jira, salesforce— and create a login by hand. It’s slow, boring, and prone to mistakes.

• it's a massive time sink: IT admins shouldn't be spending hours on data entry. According to JumpCloud, automating these workflows is a huge boon because it offloads tedious, perpetual tasks.
• security holes everywhere: when you do things by hand, you forget stuff. Maybe a retail manager gets admin rights they shouldn't have, or a healthcare worker's access isn't revoked when they leave.
• productivity takes a hit: if a new dev in a finance firm can't access the repo on day one, you're just burning money.

I've seen teams struggle with this for weeks. But there is a better way to handle it, which we'll dive into next with how jit actually works.

What is Just-in-Time (JIT) Provisioning and how it works?

Ever wonder why you can just "Sign in with Google" to a new app and—boom—your profile is already there with your name and photo? That’s not magic, it's just-in-time provisioning doing the heavy lifting behind the scenes.

Think of jit as the "lazy" (but efficient) way to manage users. Instead of an admin pre-creating 500 accounts in a database, the account doesn't even exist until the person actually tries to log in.

The technical deep dive

When a user hits that sso button, the Identity Provider (idp) sends over a bundle of data. In SAML, this is an XML-based "assertion." If you're using OIDC (OpenID Connect), it's usually a JSON Web Token (jwt) containing "claims." This bundle acts like a digital passport.

• it's reactive, not proactive: accounts are created at the moment of login, which keeps your user directory clean of "ghost" accounts for people who never actually use the tool.
• mapping is the secret sauce: you have to tell the app that the idp's dept_id: "engineering" means the user should get group: "dev-team" permissions.
• database entry on the fly: once the app parses the xml or json, it writes a new row in its user table. No manual entry, no typos in the email address.

Imagine a hospital floor where nurses need quick access to a new scheduling app.

1. The nurse logs in via the hospital's sso portal.
2. The idp sends a saml assertion with the attribute role: "head_nurse".
3. The app sees no account exists, creates one, and automatically grants "Head Nurse" permissions.

Implementation: How to get JIT live in your stack

If you're ready to stop making accounts by hand, here is the basic roadmap for setting this up. It's not as scary as it sounds but you gotta be precise.

1. Configure your IdP: Go into your identity provider (like Okta or Azure AD) and set up the application. You'll need to ensure it's configured to send the right attributes—like email, first name, and whatever roles you need.
2. Define Attribute Mapping: This is where most people mess up. You have to map the idp fields to the Service Provider (the app) fields. For example, mapping http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to just email.
3. Enable JIT in the App: Most enterprise apps have a toggle in the admin settings that says "Enable Just-in-Time Provisioning." Turn that on.
4. Set a Default Role: Always have a fallback role (like "Guest" or "Viewer") so if the mapping fails, the user doesn't get admin rights by accident.
5. Test with a dummy account: Don't test this with your own admin login. Create a fake user in your idp and see if they "spawn" correctly in the app when they log in.

JIT vs SCIM: choosing the right strategy

So, you've got sso running, but now you're stuck wondering if you should stick with jit or go full scim. It's a classic dev dilemma—do you want the "set it and forget it" vibe of jit, or the total control that comes with a scim sync?

• jit is reactive: It’s like a "just in time" delivery. The account only exists once the user actually clicks that sso button.
• scim is proactive: It’s a background sync. According to TechPrescient, scim can create or even delete accounts before a user ever touches the app.

The Security & Offboarding Gap

The big issue with jit is that it's a one-way street for onboarding. A 2024 report from One Identity highlights that while jit reduces admin load, it doesn't handle the "offboarding" part of the lifecycle.

If a dev leaves your fintech firm, jit won't tell the app to disable their seat. The account just sits there. This is why jit is a "double-edged sword"—it's great for Zero Trust because it prevents "ghost accounts" from being created early, but it leaves "orphaned accounts" when people leave. If you need instant deprovisioning for compliance in healthcare or finance, you're gonna need scim eventually.

Best practices for your JIT setup

Getting jit right is mostly about not being lazy with your mapping logic. If you just dump every user into a generic bucket, you're asking for a security headache later on.

• Set default roles: Always map new users to the lowest possible privilege level first. It’s safer to have a dev ask for more access than to accidentally give a contractor admin rights.
• Clean up your attributes: Make sure your idp sends clean data. If the app expects "Engineering" but gets "eng-dept", the provisioning might fail or create a duplicate.
• Log everything: You need an audit trail. If an account pops up out of nowhere, you'll want to see the saml assertion or oidc claims that triggered it.

I've seen a retail firm mess this up by mapping "Store Manager" to "Global Admin" in their inventory api. Not a fun weekend for the on-call team.

Jit is a massive time saver, but it works best when you treat it as part of a bigger identity strategy. Honestly, just keep your mappings tight and your logs readable and you'll be fine.

*** This is a Security Bloggers Network syndicated blog from SSOJet - Enterprise SSO & Identity Solutions authored by SSOJet - Enterprise SSO & Identity Solutions. Read the original post at: https://ssojet.com/blog/just-in-time-jit-provisioning-automated-user-provisioning-sso