Just-In_Time Provisioning

Just-In-Time provisioning is the process of creating users dynamically in Salesforce. Just-In-Time provisioning allows you to create regular and portal Salesforce users on the go. Once the admin has configured Just-In-Time provisioning then whenever an end-user tries to login for the first time his user is created in Salesforce. It is necessary for your organization to enable the SAML based Single Sign-On for using Just-In-Time provisioning.

Enabling User Provisioning

To enable user provisioning:

1. Navigate to Single Sign-On Setting page. 
2. Select User Provisioning Enabled. 
3. Click Save.

Process of User Provisioning

Salesforce adheres to the following process while performing user provisioning:

1. Salesforce matches the Federated ID of the SAML assertion Subject element and the FederationIdentifier of an existing user record. For example: testuser@testdomain.com
2. If a user record matches the Federated ID, Just In Time Provisioning uses the attribute information in the SAML assertion and updates the Salesforce fields.
   If a user record does not match the Federated ID, then Salesforce searches for contacts in the specified Account ID for a match based on LastName and Email.
3. If a matching Contact record is found, Just In Time Provisioning updates the contact fields specified in the attributes in SAML Assertion JIT provisioning then inserts the new user record.
   If a matching Contact record is not found, then Salesforce searches for accounts in Salesforce related to that Contact.
4. If an account record is found, Just In Time provision Inserts a new contact record and a new user record based on the provided attributes in the SAML Assertion.
   If an account record is not found, JIT provision inserts a new account record, a new contact record, and a new user record based on the provided attributes.

Just-In-Time Handler

By default Standard User Provisioning is used in Salesforce but if we want to have custom implementation of User Provisioning during Single Sign-On then we use SAML Just In Time Handler. Thus we can incorporate organization specific login, For example: Updating custom fields while user provisioning. JIT Handler class performs task of creating and updating user data, including creation of Account and Contact related to it.

A SAML JIT Handler class must implement SamlJitHandler interface. The following are the interface methods used for creating and updating user data:

• createUser()

• updateUser()

• handleJit()

• handleContact()

• handleAccount()

• handleUser()

Enabling User Provisioning using JIT Handler

To enable user provisioning using JIT Handler:

1. Navigate to Single Sign-On Setting page.
2. Select User Provisioning Enabled. The User Provisioning Type options appear.
   The User Provisioning Type options
   (Click the image to expand it.)
   
   

3. Select the User Provisioning Type as Custom SAML JIT with Apex handler. The fields of the selected User Provisioning Type appear.
   The fields of the selected User Provisioning Type
   (Click the image to expand it.)
   
   

4. Enter appropriate information in the fields given in the table below:
   
   

   Field	Description
   SAML JIT Handler	Click and select the appropriate class which implements the SAML JIT Handler
   Execute Handler As	Click  and select the appropriate user which runs the Apex class.

5. Click Save.
   
   

Benefits of Just-In-Time Provisioning

Following are the benefits of Just-In-Time Provisioning:

• Cost Effective: Helps administrators to create an account on demand. This simplifies the process of dynamic user provision
• Increased User Adoption: As user needs to remember just one password for logging into their organization and Salesforce, they are more likely to user Salesforce on a regular basis.
• Increased Security: All organization based password policies become applicable for Salesforce.

For example, If we enforce users to create a complex password in their organization, same complex password is used in Salesforce. This makes it less susceptible to hackers.