Adding a SAML Just-in-Time Identity Provider
Set up a SAML identity provider (IdP) that uses just-in-time (JIT) provisioning for an identity domain in IAM.
- Navigate to the identity domain: Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Security and then Identity providers.
- Click the name of an identity provider.
- On the details page, click Configure JIT.
- Select Enable Just-in-Time (JIT) provisioning.
-
Select one of the following options:
- Create a new identity domain user: Create an identity user in the identity domain, if the user doesn't exist when sign in with the identity provider.
- Update the existing identity domain user: Merge and overwrite identity domain user account data from the mapped IdP. The existing data is overwritten by the user data from the IdP.
Note
To enable JIT, you must select one of these options. -
In the Map user attributes area , map a user account
from the IdP to a user account from the identity domain.
-
Select a value in the IdP user attribute type
row.
- If you select Attribute, then enter the IdP user attribute name.
- If you select NameID, you don't need to enter the IdP user attribute name.
- (Optional) Select the identity domain user attribute.
- (Optional) Add more identity domain attributes.
-
Select a value in the IdP user attribute type
row.
-
To enable group mapping, click Assign group mapping.
Note
If you enable group mapping, proceed to the next step. If not, skip to step 10. - For Group membership attribute name enter the IdP attribute name that contains group memberships.
-
To import the group settings, select one of the following options:
- Define explicit group mapping: This option requires you to provide the group name to map between the IdP and identity domain. If you select this option, enter the IdP group name and select an available identity domain group name.
- Assign implicit group mapping: This option maps an IdP group to an identity domain group that has the same name. No other action is required.
- (Optional)
To assign group memberships from the identity domain, select Assign
domain group memberships and then perform the following
steps:
- Click Add group.
- Select the groups that you want to add, and then click Add groups.
-
Under Assignment rules, specify actions to take when
assigning group memeberships:
- If users are assigned to existing groups, select whether to merge with existing group memberships or replace existing group memberships.
-
When a group isn't found, select to take one of the following actions:
- Ignore the missing group: The user successfully signs in.
- Fail the entire request: The sign-in attempt fails.
- Click Save Changes.
- (Optional) Activate the IdP before adding it to any policies. For more information, see Activating or Deactivating an Identity Provider.