Summary

Just-In-Time (JIT) provisioning is a mechanism to automate the creation of user accounts in Atlassian applications when they log in for the first time through SAML SSO.

The data required to provision the user comes from the identity provider (IdP), so it eliminates the need for manual user provisioning and saves time and effort.

Key aspects of JIT provisioning include:

• Efficiency: User accounts are created only when needed.

• Manageability: Accounts with the verified domain will be provisioned and will become managed accounts.

• Automation: User attributes such as first name, last name, and email are automatically updated during the login process.

Prerequisites

• Atlassian Guard subscription
• SAML SSO is configured with your IDP

Configuration

In order to enable JIT provisioning for your managed accounts, you need to configure all of the following:

1. Make sure the claim setting is Automatic
   
   If the domain is claimed in multiple Atlassian organisations, make sure which organisation should have the automatic claim setting before making any changes.

2. Link domains to your identity provider directory
   Associate your verified domain with the IDP config where SAML SSO is configured for JIT Provisioning.
   

3. Enforce SAML single sign-on on a default authentication policy
   The default authentication policy associated with the IDP must have Single Sign-On (SSO) enforcement enabled.
   

4. Make sure the your IDP doesn't have a setting that prevents SSO.
   For example, Enterprise applications on Entra ID have an option to filter unassigned users.