Add and update users with Just-In-Time provisioning

Use Just-In-Time (JIT) provisioning to automatically create a user profile when a user first authenticates. This includes authentication through Active Directory (AD) delegated authentication, desktop single sign-on (SSO), or inbound Security Assertion Markup Language (SAML).

A new user account is only created and activated if the user doesn't have an existing Okta user profile. If they do have an Okta user profile, it's updated during a full import. Users who are confirmed on the Import Results page, regardless of whether they're later activated, aren't eligible for JIT activation. When JIT is enabled, users don't receive activation emails.

If delegated authentication is enabled, you don't need to import users from AD before using JIT provisioning to create Okta accounts. Otherwise, when delegated authentication isn't enabled, you must first import the AD accounts and they must appear on the Imported Users page for JIT provisioning to create Okta accounts.

  1. In the Admin Console, go to DirectoryDirectory Integrations and select an AD instance.
  2. Click the Provisioning tab and click To Okta in the Settings list.
  3. Click Edit in the General section.
  4. Select Create and update users on login next to JIT provisioning.
  5. Scroll down and click Save.

Related topics

Active Directory integration known issues

LDAP integration known issues