Add and update users with Just-In-Time provisioning

Just-In-Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) Delegated Authentication, Desktop SSO, or inbound SAML.

JIT account creation and activation only works for users who are not already Okta users. This means that users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.

If delegated authentication is enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts.

If you do not have delegated authentication enabled, you must import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.

When JIT is enabled for your org and delegated authentication is selected for your AD or LDAP integration, JIT is used to create user profiles and import user data.

  1. In the Admin Console, go to Directory > Directory Integrations.
  2. Click Active Directory and then click the Provisioning tab.
  3. Click To Okta in the SETTINGS list.
  4. Click Edit in the General area.
  5. Select the Create and update users on login check box next to JIT provisioning.
  6. Click Save.