Skip to main content
Skip table of contents

Setting up Just-In-Time User Provisioning

The following standard attributes are used for just-in-time provisioning and need to be configured in your Identity Manager (IDP) and included in the SAML assertion/response. You will need to provide this information to your IT department.

Claims Attribute

Description

nameidentifier

This will be used as username in the application and must be formatted as email.

emailAddress

This attribute will be used as Contact Email.

firstname

Contact first name.

lastname

Contact last name.

Users can only be auto provisioned as organization level users whether using the default standard attributes or configuring non standard attributes.

The default role given to users is General user.

The default Location in which the users are provisioned would be a location in your organization which contains the words “Unallocated” or “Provisioning”.

User provisioning will only work on IDP initiated login or using SSO direct link URL https://<cluster>.envizi.com/home/Client/<client_token>/ where <cluster> is the server cluster name and the <client_token> is the Client ID generated in the SSO Admin page. e.g. https://us003.envizi.com/home/Client/48224780e59e41a2975edc4117889a28/

User provisioning will not work when accessing the system via the Envizi login page.

Just-In-Time User Provisioning using Non Standard Attributes

To set up just-in-time provisioning using non standard attributes provided in the SAML response,

  1. Go to Admin → Single Sign-On

  2. On the row of the SSO you are configuring, select the Action (or right-click) Edit SSO Metadata

  3. Click on SSO preferences section in the left hand side of the page

  4. Fill in the Auto-Provisioning Properties

Fields

Description

Example

Email Claims Attribute Name

Attribute where the user’s email value will be provided in the SAML assertion/response

First Name Claims Attribute Name

Attribute where the user’s first name value will be provided in the SAML assertion/response

Last Name Claims Attribute Name

Attribute where the user’s last name value will be provided in the SAML assertion/response

Role Claims Attribute Name

If you want to include roles in your mapping then the Role Claims Attribute is mandatory. If not filled then it will revert to the standard Envizi just-in-time role setting of “General” for all users provisioned

Role View Only - Value mapping

Identifies the role or group in which the user belongs in your IDP to map to the View Only role in Envizi

Read-only

Role General - Value mapping

dentifies the role or group in which the user belongs in your IDP to map to the General role in Envizi

Editor

Role System Administration - Value mapping

Identifies the role or group in which the user belongs in your IDP to map to the to the System Administrator role in Envizi

Admin

  1. Fill in the Roles Attributes. This is the mapping from the roles in your provisioning system to the roles in Envizi.

  2. In Other Attributes, select the location in which the provisioned users will be created. If this is not filled in then the default location settings will be used.

  3. Click Save.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.