Just-in-Time User Provisioning

Owned by Aamir Sheriff
Last updated: Nov 07, 2024
3 min read

The SAML SSO integration can automatically provision new users as they first sign in if necessary using Just In Time Provisioning.

If you are planning on enabling provisioning of new users as they first sign in through SAML, please inform your Implementation Consultant, Client Success Manager, or email integrations@readyeducation.com. Our Activations team will assist in gathering the necessary information to set up these features, and completing the configuration.

Important Notes:

  • Configuration is required for setting up just-in-time user provisioning. This process can take 4-6 weeks, including requirements gathering, configuration, testing, and deployment from sandbox to production.

  • Just-in-time provisioning can only be used to create user profiles when new users login via SSO to CampusGroups for the first time. User profiles will not be updated via JIT provisioning. To update user profiles, the institution will need to set up an API feed, SFTP flat file feed, or bulk imports through the platform.
    ​

To configure JIT Provisioning through SSO you will need to release additional supported attributes from the list at the bottom of this article which can be mapped to first name, last name, email, netid, account type and year of graduation similar to:

  • urn:oid:2.5.4.42 -> first name

  • urn:oid:2.5.4.4 -> last name

  • urn:oid:0.9.2342.19200300.100.1.3 -> email address

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.9 -> account type

Single-Valued Attribute Mapping

If the attribute mapped to Account Type is single valued (for example if passing a "primary affiliation" with a single value), we will also need the mapping information that translates possible values for this attribute to the matching Account Type in CampusGroups plus a default Account Type for unmapped values; for example:

  • student => CG Student

  • faculty => CG Staff & Faculty

  • staff => CG Staff & Faculty

  • DEFAULT => CG Guest

Multi-Valued Attribute Mapping

If the attribute mapped to Account Type is multi-valued (for example if passing a list of affiliations for the user), we will also need the mapping information that translates possible combinations of values for this attribute to the matching Account Type in CampusGroups and/or which Account Type to map to based on a value present in the list and finally a default Account Type for unmapped values; for example:

  • employee,student => CG Student Employee

  • faculty => CG Staff & Faculty

  • employee,faculty => CG Staff & Faculty

  • staff => CG Staff & Faculty

  • employee,staff => CG Staff & Faculty

  • CONTAINS student => CG Student

  • DEFAULT => CG Guest

Configuration Requirements

  1. Basic SAML SSO must be set up first prior to being able to configure just-in-time user provisionign.

  2. We recommend setting up JIT provisioning first in your sandbox instance, prior to setting this up in your production instance. This will allow you to test that users are being successfully created upon first login, with all required and desired profile fields being correctly populated.

  3. We recommend doing a manual file upload of users first, since JIT provisioning cannot be used to update user profiles, only create new user profiles. You can also supplement JIT provisioning with SFTP flat file uploads or via API automation to ensure user profiles are always up to date.

  4. Review list of existing Account Types from the CG Platform. These can be found under Admin > Settings > Custom Values (Lookup).

  5. Additional notes:

    • Exact combination matches take precedence over "CONTAINS" mapping which take precedence over the DEFAULT mapping.

    • Account type and year of graduation can be omitted, but since they are used for access control throughout the platform, we strongly suggest adding them.

  6. Provide the following items via email to integrations@readyeducation.com:

    1. List of attributes that they are releasing that meet our requirements for first name, last name, email address, and account type. These should be from the list of Supported Attributes below.

    2. Mapping information for the attribute mapped to Account Type, and whether they are single valued or multi-valued.

Supported Attributes

We are only able to accept these attribute Object Identifiers

Note that any of these fields can be mapped to any of the CampusGroups profile fields regardless of their default name.

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.6 which is titled eppn (value must be scoped, eg username@your.domain.edu)

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.9 which is titled affiliation (value must be scoped, eg staff@your.domain.edu)  

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.1 which is titled unscoped-affiliation

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.7 which is titled entitlement

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.5 which is titled primary-affiliation

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.2 which is titled nickname

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.8 which is titled primary-orgunit-dn

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.4 which is titled orgunit-dn

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.3 which is titled org-dn

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.11 which is titled assurance

  • urn:oid:1.3.6.1.4.1.5923.1.5.1.1 which is titled member

  • urn:oid:1.3.6.1.4.1.5923.1.6.1.1 which is titled eduCourseOffering

  • urn:oid:1.3.6.1.4.1.5923.1.6.1.2 which is titled eduCourseMember

  • urn:oid:1.3.6.1.4.1.5923.1.9 which is titled eduPermissionGroup  

  • urn:oid:2.5.4.3 which is titled cn

  • urn:oid:2.5.4.4 which is titled sn

  • urn:oid:2.5.4.42 which is titled givenName

  • urn:oid:2.16.840.1.113730.3.1.241 which is titled displayName

  • urn:oid:0.9.2342.19200300.100.1.1 which is titled uid

  • urn:oid:0.9.2342.19200300.100.1.3 which is titled mail

  • urn:oid:2.5.4.20 which is titled telephoneNumber

  • urn:oid:2.5.4.12 which is titled title

  • urn:oid:2.5.4.43 which is titled initials

  • urn:oid:2.5.4.13 which is titled description

  • urn:oid:2.16.840.1.113730.3.1.1 which is titled carLicense

  • urn:oid:2.16.840.1.113730.3.1.2 which is titled departmentNumber

  • urn:oid:2.16.840.1.113730.3.1.3 which is titled employeeNumber

  • urn:oid:2.16.840.1.113730.3.1.4 which is titled employeeType

  • urn:oid:2.16.840.1.113730.3.1.39 which is titled preferredLanguage

  • urn:oid:0.9.2342.19200300.100.1.10 which is titled manager

  • urn:oid:2.5.4.34 which is titled seeAlso

  • urn:oid:2.5.4.23 which is titled facsimileTelephoneNumber

  • urn:oid:2.5.4.9 which is titled street

  • urn:oid:2.5.4.18 which is titled postOfficeBox

  • urn:oid:2.5.4.17 which is titled postalCode

  • urn:oid:2.5.4.8 which is titled st

  • urn:oid:2.5.4.7 which is titled l

  • urn:oid:2.5.4.10 which is titled o

  • urn:oid:2.5.4.11 which is titled ou

  • urn:oid:2.5.4.15 which is titled businessCategory

  • urn:oid:2.5.4.19 which is titled physicalDeliveryOfficeName

Â