Just-in-Time End User Access Provisioning

ITRP’s Just-in-Time (JIT) End User Access Provisioning functionality is used by support organizations to automate the registration and maintenance of the organization’s end users in ITRP. This functionality essentially allows organizations to offload this responsibility to their identity provider (IdP).

When someone attempts to access an organization’s ITRP account that has Single Sign-On activated, the JIT End User Access Provisioning functionality picks up the trusted information that the IdP provides to automatically register a new person record for this user if this person could not be found in ITRP. If the person was already registered in the organization’s ITRP account, the trusted information from the IdP is used to update this person’s record.

Triggering the JIT End User Access Provisioning Functionality

The JIT End User Access Provisioning functionality does not need to be activated separately. As soon as the Single Sign-On (SSO) functionality is activated for an organization’s ITRP account, ITRP automatically reviews each SAML response that it receives from the organization’s IdP to determine if the JIT End User Access Provisioning functionality need to be triggered. This is done as follows:

  1. If the SAML response does not include any of the JIT provisioning attributes (see section below), go to step 3, else
    if the SAML response contains one or more JIT attributes and a person record with the primary email address specified in the SAML response already exists in the ITRP account and all attributes are the same as the corresponding field values in the existing person record (i.e. an update is not required), go to step 3, else
    if the SAML response contains one or more JIT attributes and a person record with the primary email address specified in the SAML response already exists in the ITRP account, update this person record with the JIT attributes included in the SAML response and go to step 2, else
    if the SAML response contains one or more JIT attributes and a person record with the primary email address specified in the SAML response does not yet exists in the ITRP account, generate a new person record with the JIT attributes included in the SAML response and go to step 2.

  2. Save the person record. If successful, go to step 3, else do not provide access and log an authentication failure in the Authentication Log and include all details (i.e. the SAML response attributes and the validation errors).

  3. Pass the SAML response to the ITRP SSO functionality for login.

Attributes

Person Attributes

The following attributes can be included in the SAML response from the IdP to ensure that the corresponding field values are set in the person record of the person who is requesting access to ITRP:

¹ either the ITRP ID or the Name field value - if a match is not found the corresponding field in the person record is set to blank.

² either the ITRP ID, the Primary email field value, or the Name field value - if a match is not found the corresponding field in the person record is set to blank.

Telephone Number Attributes

It is possible to include multiple telephone numbers in the SAML response from the identity provider. For each telephone number a label (e.g. work or home) needs to be specified. Multiple telephone numbers with the same label can be included in the SAML response.

Custom Data Attributes

When a UI extension is used to add additional fields to the Person form, these custom fields can populated by including their values in the SAML response from the identity provider. The value for a custom field (e.g. Date of birth or Start date) needs to be preceded by custom_data: followed by the ID that the field has in the UI extension.

Default Values

If an attribute is not included in the SAML response from the IdP, and a person record already exists for the primary email address specified in the SAML response, the corresponding field value of the existing person record does not get updated.

Similarly, if an attribute is not included in the SAML response from the IdP, and a new person record needs to be generated using the information in the SAML response, the corresponding field is left blank, with the exception of the following fields:


Example XML of a SAML Response with JIT Provisioning Attributes


  <AttributeStatement>
    <Attribute Name="source" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">JIT Provisioning</AttributeValue>
    </Attribute>
    <Attribute Name="sourceID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">JOHSMI</AttributeValue>
    </Attribute>
    <Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">John Smith</AttributeValue>
    </Attribute>
    <Attribute Name="supportID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">JOHSMI</AttributeValue>
    </Attribute>
    <Attribute Name="organization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">Widget Data Center</AttributeValue>
    </Attribute>
    <Attribute Name="site" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">23822</AttributeValue>
    </Attribute>
    <Attribute Name="telephone:work" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">+1 (212) 369 2623</AttributeValue>
      <AttributeValue type="xs:string">+1 (212) 369 2624</AttributeValue>
    </Attribute>
      <Attribute Name="telephone:mobile" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">+1 (212) 761 5019</AttributeValue>
    </Attribute>
    <Attribute Name="custom_data:date_of_birth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">1987-06-23</AttributeValue>
    </Attribute>
    <Attribute Name="custom_data:start_date" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <AttributeValue type="xs:string">2017-01-31</AttributeValue>
    </Attribute>
  </AttributeStatement>

The above information from the SAML response is parsed by ITRP as follows;

{
  "source" => "JIT Provisioning",
  "sourceID" => JOHSMI,
  "name" => John Smith,
  "supportID" => JOHSMI,
  "organization" => "Widget Data Center",
  "site" => 23822,
  "telephone" => {
    "work" => ["+1 (212) 369 2623", "+1 (212) 369 2624"],
    "mobile" => ["+1 (212) 761 5019"]
  },
  "custom_data": { 
    "date_of_birth" => "1987-06-23",
    "start_date" => "2017-01-31"
  }
}