Just-in-Time Provisioning for SAML Salesforce
Just-in-Time (JIT) provisioning to automatically create a user account in your Salesforce org the first time a user logs in with single sign-on (SSO). JIT provisioning can reduce your workload and save time. JIT provisioning also automatically applies password policies for your corporate network to your org, potentially increasing security.
With JIT provisioning, you can use a SAML assertion to create users the first time they log in to your org from a third-party identity provider. JIT provisioning saves you time and effort because it eliminates the need to provision users or create user accounts in advance.
For example, your company adds several new employees, and you want to create user accounts for them in your org as soon as possible. You configure SSO and set up JIT provisioning. Now, when the new employees log in with SSO, the JIT provisioning method automatically creates their accounts.
Guidelines for Just-in-Time (JIT) provisioning:-
1. Salesforce attempts to match the Federated ID in the subject of the SAML assertion (e.g. 12345) to the FederationIdentifier field of a existing user record.
2. If a matching user record is found, JIT provisioning uses the attributes to Update the fields specified in the attributes.
3. If a user with a matching user record isn’t found, then Salesforce searches the contact for a match based on Contact ID (User.Contact) or email (Contact.Email).
Contact.Email and Contact.LastName are both required properties when User.Contact is not specified. But matching is only based on Contact.Email when both properties exist.
4. If a matching contact record is found, JIT provisioning uses the attributes to Update the contact fields specified in the attributes and then Inserts the new User record
5. If a matching contact record isn’t found, then Salesforce searches for the Accounts for a match based on Contact.Account or Account.AccountNumber.
Account.AccountNumber and Account.Name are both required properties when Contact.Account is not specified. But matching is only based on Account.AccountNumber when both properties exist.
6. If a matching account record is found, JIT provision Inserts a new contact record and Inserts a new User record based on the attributes provided.
7. If a matching account record isn’t found, JIT provision Inserts a new account record, Inserts a new contact record, and Inserts a new User record based on the attributes provided.
I am sharing existing youtube video that’s will be easier to understand about JIT