The Just-In-Time User Provisioning (JIT Provisioning) function helps users to log in to Brightspace and automatically creates their Brightspace user account without an administrator intervening.
Each time users log in using Just-In-Time User Provisioning, their data is updated with the data obtained from the identity provider. If a user has no account in Brightspace, their account is created using details provided by the SAML user claim attributes when the user logs in for the first time.
To enable Just-In-Time User Provisioning
Note: Ensure the Manage SAML Authentication and Manage SAML JIT Provisioning Configurations permissions are granted to administrators at the org level.
-
From Admin Tools (click the Gear icon on the upper right corner), click SAML Administration.
Figure: Admin Tools with the SAML Administration option highlighted.
-
Click Add Identity Provider. Add a new provider as described in Add an Identity Provider topic. As a result, you will be redirected to the Manage Identity Provider page.
-
Select the Manage Just-In-Time Provisioning tab.
Figure: The Manage Identity Provider page with the Manage Just-In-Time Provisioning tab highlighted.
-
Enable JIT Provisioning Enabled (its default value is OFF) to create Brightspace user accounts from the attributes of your identity provider automatically.
-
Click Clear configuration.
Figure: The Manage Just-In-Time Provisioning page with the JIT Provisioning Enabled and Clear configuration highlighted.
-
From the Attribute Map section:
-
Select Update attributes on login.
-
Ensure that the User/Name ID Mapping attribute is not updated on the Identity Provider side.
-
Set the mapping for the Mandatory attributes:
-
Brightspace Attribute
|
Statement Attribute
|
First Name*
|
FirstName
|
Last Name* |
Last Name
|
Username*
|
Username
|
OrgDefinedId
|
UserId |
Email
|
Email
|
Role* |
UserType
|
Figure: The Attribute Map section.
Warning: The user attributes shown in the Attribute Map section need to exist in the SAML SSO system as well as Brightspace. Depending on your specific system, these can be added to the user profile and then mapped to SAML Attribute statements. Consult with your SSO onsite experts and/or your SSO vendor.
-
From the Role Map section:
-
Select Update role on login.
-
Create a list of role mappings. Click Add Mapping to add a new pair, then select the Brightspace role from the list that maps to the Provider role.
Figure: The Role Map section.
Note: Each Provider role must only be mapped to one Brightspace role. The same Brightspace role may be mapped to multiple Provider roles. You can add more mappings or delete existing ones.
-
Click Save and Close.
After you enable JIT Provisioning, a JIT Provisioning Enabled label appears on the Manage page and in the list of Identity Providers on SAML Administration.
You can use the JIT Provisioned Users Log data set to answer questions about how many users have been created via SAML for troubleshooting or auditing purposes.