As we design and build cloud-based systems, topics that were previously seen as admin concerns, such as single sign-on and user provisioning, become more and more relevant to developers. Single sign-on allows us to leverage enterprise identity in accessing services in the cloud – users don’t have to manage yet another password, and admins don’t have to worry about users duplicating their enterprise login password in their service provider accounts.
Those accounts still have to be created, though, which is where user provisioning comes in. Admins can obviously create Salesforce accounts manually, but this is time consuming – imagine onboarding hundreds or even thousands of employees as a result of an acquisition or merger! Identity management tools exist to automate the process, and can do a great job, but they don’t come cheap.
Just-in-Time (JIT) provisioning, a new feature in the Summer ’11 release, provides an easy onramp for account creation, building on the existing SAML 2.0 single sign-on functionality. With JIT provisioning, you configure your enterprise identity provider to include attributes such as username, first name, last name and email address in the SAML assertion sent during single sign-on. If no match exists for the presented username, a new account is created ‘on the fly’, populated with the attributes from the assertion, and the user immediately has access. On the other hand, if an account does already exist, it is updated according to the presented attributes. A wide variety of attributes are supported – for example, a profile id can be specified for new or existing accounts – so you have pretty fine-grained control over the account creation and update process.
JIT Provisioning promises to be a very popular feature – sign up for the Summer ’11 pre-release and try it out now!