/
Group based JIT

Group based JIT

image-20250711-131858.png

Just-in-time provisioning offers the ability to create a user or to activate an existing user. On this page you may set up rules for when users should be allowed to be created and/or activated based on the groups they bring with them during SAML or OIDC login. See more about how to configure group claims from IdP.

 

image-20250711-132336.png

The Advanced group based JIT provisioning allows you to define custom rules for user creation or activation based on group membership. Each rule specifies which groups to check, the type of membership check, and the resulting action.

If no rule matches during user login, the default behavior is to allow login.

If you would like to deny by default, create a rule with a group that does not exist, then configure "not in group" and result 'deny'. Make this rule the lowest priority, and it will catch all users not matching other rules.