Set Up Just-In-Time User Provisioning
Learn how to set up JIT user provisioning.
JIT user provisioning creates new users at the time they first attempt to single sign-on into Foundry, and updates them each time they SSO again. This feature is advisable only for certain organizations.
If you want to turn on JIT, then once your account is enabled, do the following:
- Edit your identity provider configuration in the customer admin portal by navigating to Settings > Single sign-on.
- Check Allow automatic registration during SSO if you wish to have new users created automatically during SSO, if the user does not exist in Foundry.
- Check the Suppress Welcome Emails to users created via SSO checkbox if you don’t want users who are created during SAML SSO to get a welcome email.
The next three steps are relevant only if you checked Allow automatic registration during SSO. The Default User Type, Role and Location should be specified to set those properties for any users who get created during SSO. Note that all three of these properties can be overridden if desired by setting specific SAML Attributes as described below. The Default User Type, Role and Location apply only for new users. They do not affect existing Foundry users.
- Select Default User Type from the drop-down menu.
- Select Default User Role from the drop-down menu.
- Select the Default Location from the drop-down menu. Note that this property is not used for some lines of business including financial education.
If you checked Allow automatic registration during SSO then you you must map the first name, last name and email SAML attributes. You may optionally map a SAML attribute for location, user type and role if you wish to override the default values (see the prior 3 steps immediately above) for a particular user.
- The Foundry User Property is the EVERFI property such as First Name, Last Name, etc.
- The SAML Attribute is the attribute name in your IDP’s SAML Assertion. Attribute names are case sensitive, so if the Attribute is
LastName
then enterLastName
and notlastname
. - Is Editable? specifies if you wish to allow the user to edit their own information for that attribute, or a customer admin to edit that information, in EVERFI’s system only. If is editable is not checked for a property, then for any user with a SSO ID, that property will not be editable by the user or by a customer admin.
- To override the default user type, provide the desired user type in an Attribute in the SAML response’s assertion provided by your IDP. If you specify a user type, then the Assertion must also send an Attribute to override the default user role with a role that belongs to the user type. For a list of the user type codes and the roles that go with each, see the list of JIT: User Types And Roles listing the specific codes to use for this Attribute value. Note that you can only specify a user type that belongs in your account’s line of business.
- To override the default user role, provide the desired role in an attribute in the SAML response’s assertion provided by your IDP. If you want to set the role, then the Assertion also must set the user type. The allowable role values for this Attribute are contained in the same table described in the previous step. Except for the rare case that you want to provision admin users during single sign-on, you have the following options. Note these values are lowercase:
- If the user type is
cc_learner
(Employee Learner) then you can override the default user role with eithersupervisor
ornon_supervisor
. - None of the other user types permit an override of default user role (except for certain admin roles, which normally are not affected during single sign-on).
- If the user type is
- If you want to override the default location, provide the desired location name in an attribute in the SAML response’s assertion provided by your IDP. The value you send must be the Foundry location name, not the ID.
If you did not check Allow automatic registration during SSO then you may provide attributes for first name, last name, email, location, user type and role if desired. If the SAML Assertion contains any of these Attributes then the existing user will be updated during SSO.
If the Assertion contains an Attribute for user type and also has an Attribute for role, and an existing user is logging in, then Foundry will give this user that user type + role combination if they do not already have it. Foundry will not remove an existing type + role, only add a new one if it doesn’t already exist. If the Foundry user already has the provided user type but with a different role, then Foundry will change the user’s role to the provided role in the Attribute.
When you have finished configuring your JIT setup, click Save to save your changes.
Typical JIT Configurations
The following are typical JIT configurations based on your organization’s network. There may be some edge cases that deviate from these. Consult with your Account Manager to discuss further.
Financial Capability Network (FCN)
- Default User Type: Financial Education Student
- Default User Role: Learner
- Default Location: blank
- SAML Attributes: Attributes for First Name, Last Name and Email
Workplace Culture Network (WCN)
- Default User Type: Employee Learner
- Default User Role: Non-Supervisor
- Default Location: your primary location
- SAML Attributes:
- Attributes for First Name, Last Name and Email
- Attribute for Location to override default location, if you have more than one location. Set the Attribute value to the location name (case sensitive).
- Attribute for Role to override default role. Set the Attribute value to
supervisor
ornon_supervisor
as appropriate.
Update Existing Users Only (Do Not Create New Users)
While JIT normally is configured to both add and update users, you may choose to have JIT only update existing users but not add new users. While this configuration is not generally recommended, it is possible. To configure this feature to update existing users but not add new users:
- Do not check the Allow automatic registration during SSO checkbox
- Leave the default value fields for user type, role and location empty
- Add Attribute maps for user properties you wish to be updated during SSO as described above