Asgardeo JIT User Provisioning
Learn how just-in-time user provisioning works in Asgardeo when authenticating users from federated Identity Providers.
— By Yasin
Just-in-Time (JIT) user provisioning is an advanced IAM feature offered by Asgardeo. It is utilised to automatically create user accounts in your organisation whenever a user logs in with Single Sign-On for the first time.
First, we will look at a simple example to properly understand how JIT works in practice. Now, let's imagine you're trying to log in to this application called Thrift for the first time. Thrift is an application with multiple authentication options such as email and password and sign-in with Google or GitHub social accounts.
Suppose it uses Asgardeo as its IAM solution.
Instead of entering your email and a new password to create an account, you are about to use one of your already logged in social accounts (i.e., GitHub or Google).
At this point, to authenticate into the application, Thrift’s IdP (Asgardeo) takes you to GitHub's authorisation page to get consent on what sort of information and permissions Thrift is using on behalf of you if you grant access.
Now, if I click on Deny, GitHub will take me back to Thrift's home page or sign-up page*. But what happens when I click on Authorize, huh? Well, there's a hefty amount of things Asgardeo should do on behalf of Thrift to give me a seamless login user experience.
So let's try to understand what's happening here. This is a swift flow of what users go through.
- You navigate to Thrift’s home page and proceeds to sign-up.
- Then, Thrift redirects you to its authentication server (Asgardeo).
- Say you chose GitHub. Now, Asgardeo redirects you to GitHub’s authentication server to authenticate and get consent from you.
- Once you click Authorize, GitHub redirects you back to Asgardeo, saying GitHub is happy and allows Asgardeo to access User information.
- Once the information is retrieved, Asgardeo creates a session for you and redirects you back to the application with a code so that Thrift can authenticate with Asgardeo again so you can get into the app.
Everything is seamless, right? Sometimes, it almost feels like magic to me! But in reality, it is not. We have missed one crucial thing Asgardeo does behind the scenes. This is where JIT comes into play!
Behind the Scenes
Do you remember when we initially started? Neither Asgardeo nor Thrift knew anything about me when I signed up via GitHub. I didn't have any account created in Asgardeo before.
When signing up via a federated connection, the system must decide whether to provision this federated user account on organisation premises or not. Therefore, this feature's fundamental goal is to create user accounts on the fly without creating them in advance.
Let me reiterate this scenario visually.
Do you see? JIT provisioning happens in the middle of an authentication flow. Asgardeo can create users on the fly without creating user accounts in advance and provision them just in time in a targeted user store. This seems so simple, but Asgardeo does all the heavy lifting for Thrift.
Before we begin, we need to have a functioning application (also called the service provider). Also, we need two federated connections (external identity providers) and add the SP as an application under an Asgardeo organisation.
Activate an Application
Well, Asgardeo lets you enable login to your own application, and it supports a variety of technologies. But for this demonstration, I'm going to use a sample application provided by Asgardeo with some slight modifications to its cosmetics 💅.
Activate Federated Connections
To demonstrate how JIT works, we require two federated connections. It can be either
enterprise connections or
social connections. To make
things simpler, I'm using Google and GitHub connections. Once created, we have
to loan this information (
client_secret) to Asgardeo.
Below videos are a skimmed version of the above guides.
Associate Connections to an Application
Now that we have an app and configured two federated identity providers, let's associate these connections to the application's sign-on methods. Asgardeo allows us to create multiple sign-on steps; however, we will add these connections to the first step.
Trying it out
Now, we can try out a login flow to see how it functions. To reiterate, remember that Asgardeo keeps JIT enabled by default. So, every first-time federated login will provision a user account on Asgardeo.
Next, if we check the
Users section on the Asgardeo Console, we can see that Asgardeo has
created a user profile under my organisation.
Woohoo 🎉, now we know how everything connects together, and it is time to shift some gears. What's even crazier is that Asgardeo allows you to control this cool feature! You can decide whether to keep auto-provisioning enabled or disabled .
Disabling Automatic Provisioning
Disabling JIT is straightforward. First, we navigate to a configured federated connection.
And then, go to its
Advanced settings and uncheck the field.
Trying it out
Now, we can try out an authentication flow with JIT user provisioning disabled.
Expected Behaviour 👀
Remember we disabled GitHub connection's JIT config, so preferably if we log in using GitHub, it should not provision users in our user store.
Now we know how to disable JIT user provisioning in Asgardeo, but at what cost, though?
Perils of Disabling JIT
Disabling JIT yields a few issues that affect the authentication flow of an application. Sometimes, if not configured correctly, it leads to poor user experience. Now let’s see what these issues are.
Conflict with Multi-Factor Authenticators
Asgardeo has advanced Multi-Factor Authentication (MFA) features such as TOTP, Email OTP, and Biometric authentication to secure user accounts. Usually, MFA allows you to grant access to resources by using two (2-Factor) or more (Multi-Factor) factors to authenticate users. It provides an additional layer of security to the resource.
Let’s configure some MFAs to our application, Thrift.
When you integrate one or more MFA to an application’s sign-on sequence, the flow expects a provisioned user account to be in a user store so that it can validate who you are.
Inherently, MFA handlers require user information to function properly. When we disable JIT for a particular IdP, the system cannot identify and persist information of a user. Thus making the flow ambiguous during multi-factor authentication.
Well, how can we prevent such scenarios?
Asgardeo gives us two choices. Either enable JIT User provisioning for the target connection or conditionally skip MFA for external connections during the login flow. Here's a sample code I borrowed from the documentation to conditionally skip MFA for federated connections.
Since the login happens in a pass-through mode, these users' profiles aren't logical. Users can still log in to the Thrift app using their accounts, but Asgardeo will not allow them to proceed to the My Account application.
All the user attributes derived from the external IdP will also be pass-through to the application (Thrift) without having the capability of editing them anywhere.
Ah, you got me there!
Okay, okay, I'll admit it. I lied 🤥. Currently, Asgardeo doesn't allow federated connection logins through My Account*. Regardless of whether JIT is enabled or disabled.
This is because Asgardeo is still in its baby steps. Support for that capability will be enabled soon. When that happens, I'll make sure to update this article. I pinky swear!
What JIT Brings to the Table?
In general, JIT user provisioning aims to reduce your workload and save time when managing federated user identities. Otherwise, you would have to create accounts manually through APIs whenever a new user registers for your application using SSO.
JIT user provisioning is Asgardeo’s fancy way of handling this complexity. JIT is handy when you integrate social connections tailored for specific use-cases such as event-based login and short lived applications. Also, in the same way, if we disable JIT, we can shun federated user accounts in the organisation for niche use-cases.
Whew! If you made it all the way here, thank you! I admire you. We learned a few things about Asgardeo's JIT user provisioning feature. Let's summarise what we have learned so far.
- It's an advanced feature engineered to handle complexities during federated user authentication.
- JIT user provisioning happens in the middle of an authentication flow.
- Asgardeo allows you to control (enable/disable) this feature.
- When enabled, a user profile is created in the local user store to persist information. It creates users on the fly.
- When disabled, access to the application happens (Service Provider) in a pass-through mode (without creating user accounts in advance).
- When disabled, we need to carefully handle the application's authentication flow and ensure it does not break.
And that's it! I hope you've enjoyed this methodical approach on how JIT user provisioning works in Asgardeo, and thanks again for reading!