Add and update users with Just-In-Time provisioning

You can use Just-In-Time (JIT) provisioning to automatically create user profiles when a user first authenticates with Active Directory (AD) delegated authentication, desktop single sign-on (SSO), or inbound Security Assertion Markup Language (SAML).

A new user account is only created and activated if the user doesn't have an existing Okta user profile. If the user has an Okta user profile, it's updated during a full import. Users who are confirmed on the import results page, regardless of whether they're later activated, aren't eligible for JIT activation. When JIT is enabled, users don't receive activation emails.

If delegated authentication is enabled, you don't need to import users from AD first for JIT provisioning to create Okta accounts. If delegated authentication isn't enabled, you need to import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.

For a list of known issues, see Active Directory integration known issues or LDAP integration known issues.

  1. In the Admin Console, go to DirectoryDirectory Integrations and select an AD instance.
  2. Click the Provisioning tab and click To Okta in the Settings list.
  3. Click Edit in the General section.
  4. Select the Create and update users on login checkbox next to JIT provisioning.
  5. Scroll down and click Save.