Add and update users with Just-In-Time provisioning

You can use Just-In-Time (JIT) provisioning to automatically create user profiles when a user first authenticates with Active Directory (AD) delegated authentication, desktop single sign-on (SSO), or inbound Security Assertion Markup Language (SAML).

A new user account is only created and activated if the user does not have an existing Okta user profile. If the user has an Okta user profile, it is updated during a full import. Users who are confirmed on the import results page, regardless of whether or not they are subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.

If delegated authentication is enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts. If delegated authentication is not enabled, you'll need to import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.

For a list of known issues, see Active Directory integration known issues or LDAP integration known issues.

  1. In the Admin Console, go to DirectoryDirectory Integrations and select an AD instance.
  2. Click the Provisioning tab and click To Okta in the Settings list.
  3. Click Edit in the General section.
  4. Select the Create and update users on login check box next to JIT provisioning.
  5. Scroll down and click Save.