IDSync — identity software buyer platform
Run Stack Finder

Provisioning

Just-in-Time Provisioning (JIT)

Just-in-Time (JIT) provisioning creates or updates a user account in a downstream application at the moment the user first signs in via SSO — using attributes from the SAML/OIDC assertion instead of a pre-built SCIM sync.

Last reviewed 5/30/2026

Key points

  • JIT eliminates pre-provisioning: the user account exists only after first sign-in.
  • Works well for apps that don't support SCIM, or for low-touch onboarding.
  • Limitation: no deprovisioning. The account stays after the user leaves unless paired with SCIM or scheduled cleanup.
  • Attribute updates happen on each sign-in, so it doubles as a soft sync for changed roles/email/etc.
  • Most enterprise IdPs (Okta, Entra ID, Ping, Google) support JIT provisioning into SAML/OIDC apps.

What is JIT provisioning?

Just-in-Time (JIT) provisioning creates a user record in a downstream application the first time that user signs in via SSO. The IdP's signed assertion carries enough attributes (email, name, groups) for the app to mint an account on the spot.

It's the lightweight alternative to a full SCIM sync — useful when:

  • The downstream app doesn't speak SCIM.
  • The user population is large and unpredictable, so pre-provisioning everyone is wasteful.
  • You want to keep authoritative attributes in the IdP and let them flow on each sign-in.

How it works

  1. New employee Alice tries to access Notion. Notion sees no session, redirects to the IdP.
  2. Alice authenticates. The IdP issues a SAML Assertion / OIDC ID token containing email, given_name, family_name, and groups.
  3. Notion validates the assertion, finds no matching local account, and creates one using the attributes.
  4. Subsequent sign-ins update the attributes (group membership changes role, name changes propagate).

Where it falls short

  • Deprovisioning — JIT doesn't offboard. If Alice leaves the company, her Notion account stays unless the IdP can also send a SCIM DELETE (or you run periodic cleanup).
  • License management — apps that bill per active user need pre-provisioning to size licenses; JIT can blow budgets if every employee accidentally signs in.
  • Pre-creating groups / spaces / mailboxes — JIT can only act at sign-in time.

JIT vs SCIM

| Concern | JIT | SCIM | | --- | --- | --- | | Onboarding latency | Zero (account at first login) | Near-real-time on HRIS event | | Offboarding | No | Yes | | Group sync | At sign-in | Continuous | | Best for | Long-tail SaaS, partner orgs | Critical apps, regulated workloads |

Editorial note

Use JIT for the long tail and SCIM for the critical apps. The combination — JIT for fast onboarding plus periodic SCIM/CSV-driven offboarding — is a pragmatic middle ground when budgets won't cover SCIM everywhere.