Configure Just-In-Time provisioning in OneLogin
You can streamline your user onboarding by configuring Just-in-Time (JIT) provisioning in OneLogin. This feature automates account creation and updates the moment a user authenticates through a Trusted Identity Provider (TIdP). By mapping essential attributes in the Attribute Mapping section in JIT or using the Transform Editor for custom logic, you can ensure that users are instantly recognized and assigned the correct roles without manual intervention.
- Sign in to OneLogin.
- Go to and click New Trust.
- On the left hand pane, go to the JIT section.
- Enable the Just-In-Time (JIT) provisioning setting.
- Enable the Set User TIDP after user creation.
- Map the First Name, Last Name, and Email attributes.
- Configure additional attributes as needed:
- TIDP Value: Enter the exact, case-sensitive name of the attribute as defined in your IdP. You can give the TIDP value as:
For Email, it should be {tidp.email}
For First Name, it should be {tidp.given_name}
For Last Name, it should be {tidp.family_name}
- User Field: Select the name of the OneLogin attribute to map the IdP value to.
- Required?: Select this checkbox if the attribute is mandatory.
- Updatable? (Optional): Select this checkbox to allow the user record to be updated with new information received from the IdP.
- Transform (Optional): Add or edit the transformation details for customizing attributes and access parameters.
- TIDP Value: Enter the exact, case-sensitive name of the attribute as defined in your IdP. You can give the TIDP value as:
If users are prompted to sign in again after they sign in through the IdP, they likely don't exist in OneLogin. This usually indicates misconfigured JIT provisioning. To prevent this issue, verify that your JIT attribute mappings match the values expected by OneLogin for user creation.
Customize user attributes with the Transform Editor (optional)
The Transform Editor helps you customize user attributes using a restricted set of JavaScript capabilities. This allows you to automatically configure user roles or attributes based on values that are mapped from your IdP. For instance, you can automatically assign a user with the specific role based on their job title as provided by their IdP account. The editor provides the following parameters and functions:
| Parameters/ Functions | Description |
|---|---|
|
current_value |
The current value of the attribute for which transform needs to be added. |
|
tidp_attributes |
The remaining attribute statement from the SAML assertion. For example, tidp_attributes["User.Email"]. |
|
saml_response |
The string that contains the SAML response. |
|
setPameter_Name |
Use this function to set the attribute's value. Capitalize the first letter of the parameter name and the first letter after any underscores. Leave the rest lowercase. |
|
reject |
Use this function to reject the attribute's value and reject the assertion completely. This function triggers an event that prevents user creation and, therefore, disallows the user from signing in. |
The Transform Editor uses a sandbox environment to prevent malicious activity. Scripts are isolated, limited to the previously defined parameters, and subject to the following security restrictions:
- The two kinds of parameter types can successfully call a setter function: strings, and arrays of strings.
- The script terminates if it exceeds the allocated resource usage or execution-time limits.
- Transforms don't execute if they exceed 8000 ASCII characters or if they contain any non-ASCII characters.
Transformation Script
This basic transformation script parses a user's email address and assigns the Sales role to any user within the acmesales.com domain. You can modify this script to meet your org's specific requirements.
var email = tidp_attributes["Email"].split("@"); var domain = email[1]; if (domain === "acmesales.com") { setRoles("Sales"); }If a user receives an "Access Denied" error immediately after signing in to the app, follow these steps to resolve the issue:
- Review the JIT transform script to verify the necessary roles in OneLogin are assigned correctly.
- Verify that no app policies are enabled for this specific app that might be blocking access.
Next step
Verify SP-initiated Single Sign-On (SSO)