The Just-In-Time User Provisioning (JIT Provisioning) function helps users log in to Brightspace and automatically creates their Brightspace user account without administrator intervention.
Each time users log in using Just-In-Time User Provisioning, their data is updated with information from the identity provider. If a user has no account in Brightspace, their account is created using details provided by the SAML user claim attributes when logging in for the first time.
To enable Just-In-Time User Provisioning
|
Note: Ensure the Manage SAML Authentication and Manage SAML JIT Provisioning Configurations permissions are granted to administrators at the org level. |
- From Admin Tools (click the Gear icon in the upper right corner), click SAML Administration.
-
Click Add Identity Provider. Add a new provider as described in the Add an Identity Provider topic. You will be redirected to the Manage Identity Provider page.
- Select the Manage Just-In-Time Provisioning tab.
- Enable JIT Provisioning Enabled (default is OFF) to create Brightspace user accounts from the attributes of your identity provider automatically.
- Click Clear configuration.
- From the Attribute Map section:
- Select Update attributes on login.
- Ensure that the User/Name ID Mapping attribute is not updated on the Identity Provider side.
- Set the mapping for the Mandatory attributes:
| Brightspace Attribute | Statement Attribute |
|---|
| First Name* | FirstName |
| Last Name* | LastName |
| Username* | UserName |
| OrgDefinedId | UserId |
| Email | Email |
| Role* | UserType |
M
Warning: The user attributes shown in the Attribute Map section must exist in both the SAML SSO system and Brightspace. Depending on your system, these can be added to the user profile and mapped to SAML Attribute statements. Consult your SSO expert or vendor.
- From the Role Map section:
- Select Update role on login.
- Create a list of role mappings. Click Add Mapping to add a new pair, then select the Brightspace role that maps to the Provider role.
| Note: Each Provider role can only map to one Brightspace role, but one Brightspace role may be mapped to multiple Provider roles. You can add or remove mappings as needed. |
- Click Save and Close.
After enabling JIT Provisioning, a JIT Provisioning Enabled label appears on the Manage page and in the Identity Providers list on SAML Administration.
You can use the JIT Provisioned Users Log data set to view how many users have been created via SAML for troubleshooting or audit purposes.