Just-In-Time (JIT) Provisioning

Just-in-time provisioning can create and update user information upon first sign-in based on attributes included in their SAML token.

How it works

  1. User signs in via single sign-on
  2. A SAML assertion is sent from the identity provider (IdP)
  3. Laserfiche extracts user attributes from the token
  4. Laserfiche creates a user account or updates an existing one
  5. The user is signed in to Laserfiche Cloud after successful provisioning

Pre-requisites

Before you can use Just-in-Time provisioning, you must have the following setup: 

  1. Configure single sign-on (SSO).
  2. Map the following attributes: Email, Firstname, Lastname, and Groups.

Configuring Just-in-Time Provisioning

  1. Navigate to Laserfiche Cloud Account Administration.
  2. View the Settings page.
  3. Select the Identity Provider tab.
  4. Select the Provisioning tab.
  5. Select the Just-in-time option.
  6. Select the Configure federated groups link to view the Federated Groups page and create a new group.
  7. Navigate back to the Provisioning tab to see a list of federated groups.
  8. Click Add a new rule to select a federated group and the license type that will be assigned to any users in this group.

    Note: Federated group rules must be organized by priority. If a user is part of multiple groups, the user will be assigned the license that is part of the higher priority or first group rule.

  9. Turning on the Detailed error reporting option to display a detailed error to users when Laserfiche is unable to successfully sign them in through single sign-on (i.e., the user is correctly signed in via SSO with their identity provider, but the sign-in request sent to Lserfiche is misinterpreted or misconfigured). The error can contain details on why the initial SSO configuration with Laserfiche Cloud has failed (i.e., bad claim, certificate issues, etc.).

    Important: It is not recommended to use this feature often as it will display details about a customer's identity provider configuration. This feature is for troubleshooting only and should not be left on indefinitely.

  10. To finish, click Save changes.