JIT Provisioning using OpenID Connect
When using the OpenID Connect protocol, the JIT End User Access Provisioning functionality can be activated by enabling the field ‘Allow JIT provisioning’ in the SSO configuration of the R-Service account. Once enabled, R-Service automatically triggers the JIT End User Access Provisioning for each ID token response from the OpenID Connect provider.
The JIT provisioning will follow these steps:
-
If the ‘Allow JIT provsioning’ field is not enabled for the SSO configuration of the R-Service account go to step 4, else
if the ‘Allow JIT provisioning’ field is enabled, go to step 2 -
If a person record with the primary email address specified in either the ID token or UserInfo response already exists in R-Service, update this person record with the JIT attributes present in the ID token and UserInfo responses and go to step 3, else
if no person record matching the primary email address specified in either the ID token or UserInfo response exists in R-Service, generate a new person record with the JIT attributes included in the ID token and UserInfo responses and go to step 3.
-
Save the person record. If successful, go to step 4, else do not provide access and log an authentication failure in the Authentication Log and include all details (i.e. the validation errors).
-
Pass the ID token response to the R-Service SSO functionality for login.
Attributes
The following attributes (or claims) can be included in the ID token and UserInfo responses from the IdP to ensure that the corresponding field values are set in the person record of the person who is requesting access to R-Service:
- name
- given_name ¹
- family_name ¹
- middle_name ¹
- picture ²
- locale
- zoneinfo
¹ in case the name claim is not present, the name field
in R-Service will be set to the concatenation of the given_name, family_name and
middle_name claims.
² the picture maps onto the avatar field in R-Service.
Default Values
If an attribute is not included in the ID token or UserInfo response from the IdP, and a person record already exists for the primary email address specified in those responses, the corresponding field value of the existing person record does not get updated.
Similarly, if an attribute is not included in either the ID token or UserInfo response from the IdP, and a new person record needs to be generated using the information in those responses, the corresponding field is left blank, with the exception of the following fields:
- name - default value is the value of the email claim (i.e. the primary email of the person record that is being generated)
- locale - default value is the locale (or language) of the R-Service account
- time_zone - default value is the time zone of the R-Service account
- time_format_24h - default value is the default time format of the language (e.g.
true
if locale isen-US
andfalse
if locale isde
)