Just in Time Provisioning to Application Repository

By default, DirX Access supports Just In Time (JIT) provisioning to the application repository. This means that when a user successfully authenticates, a user record is automatically created in the application repository if it does not already exist.

The behavior of JIT provisioning is controlled by each authentication method. It can be disabled by setting the Just-in-time provisioning of user record to AppRepo parameter in the authentication method configuration to false. Disabling the JIT provisioning can be especially useful for federation authentication methods such as SAML and OAuth.

The following scenarios describe what happens during user authentication related to JIT provisioning:

  1. The user does not exist in the application repository, and JIT provisioning is enabled. In this case, a user record is created in the application repository.

  2. The user exists in the application repository, and JIT provisioning is enabled. Here, the user is authenticated, and the user record is updated if needed (e.g., RBA data, last access time).

  3. The user does not exist in the application repository, and JIT provisioning is disabled. The user is authenticated, but no user record is created. Note that RBA data will not be collected, which may result in related risk conditions being evaluated as indeterminate.

  4. The user exists in the application repository, and JIT provisioning is disabled. The user is authenticated, and the user record is updated if needed.

By default, the user record is created with an identifier resolved from the authentication method and the login name used during authentication. The last access time is set to the current time. Optionally, the user record may also include RBA data collected during the session that are saved after the user logs out or the session expires.

If you expect a large number of new users to authenticate and be provisioned, it is recommended to set the SSO update subject after seconds parameter in Cluster → SSO service to a value greater than 0. This setting reduces the frequency of updates to the application repository by ensuring that the user is updated only once during authentication.

Special cases of JIT provisioning

  • Composite authentication: When using composite authentication, no user data are saved to the application repository during the individual authentication steps. JIT provisioning applies only when the entire composite authentication process is successfully completed. If you want to prevent user records from being created in the application repository when using composite authentication, you only need to disable JIT provisioning for the composite authentication method.

  • Step-up authentication: When a user re-authenticates during step-up authentication, different scenarios can occur:

    • If a user record was created or already existed during the initial authentication, it will be updated.

    • If no user record was created during initial authentication, the step-up authentication method’s JIT provisioning setting determines whether a record is created at that point.

    • If JIT provisioning is disabled for both the initial and step-up authentication methods, and the user record did not exist previously, no user record will be created.

  • Using shared credentials across multiple authentication methods: When shared credentials are used across multiple authentication methods, the setting for the JIT provisioning is used from the authentication method that is the source of the shared credentials.

Limiting User Data Saved in the Application Repository

In some cases, it may be desirable to limit the data saved about the user, particularly RBA data used in Risk-Based Authentication.

This can be configured system-wide by setting the Require user data consent parameter in Cluster → Authentication Service to true. When enabled, users must provide consent to save RBA-related data in the application repository. By default, this setting is disabled, and no user consent is required.

If the Require user data consent parameter is set to true, RBA data will not be collected or saved unless the user provides consent. Users can provide consent via the Credential Manager or through the SCIM interface (connected to a custom client application) by setting the userDataConsent attribute of urn:net:atos:dirx:access:scim:schemas:core:2.0:Entity to true.

If no RBA data is collected and risk conditions are configured to depend on this data, it may lead to an increased risk level for entities without this data, particularly if the risk level is assigned for an indeterminate state.

Note that if the JIT provisioning is disabled for an authentication method, no RBA data will be collected for the user during the authentication. Therefore, if you want to collect RBA data for users, you must enable JIT provisioning for the authentication method also.