Just-in-time user provisioning
With SSO enabled via SAML or OIDC, administrators can optionally enable just-in-time user provisioning. When enabled, administrators can provide a json configuration mapping a group on their SSO identity provider to a Tines team and role. Once setup, a user signing into Tines for the first time will automatically be placed in the designated team and role mapped to their SSO group in the configuration json without requiring an invitation to the tenant.
Note: A change to the just-in-time configuration will not update existing users' teams and roles unless Enhanced Just-in-time syncing
is enabled (see below for details).
💡Note
To setup:
Enable the checkbox entitled "Just-in-time user provisioning"
Fill in the following blank fields in the json editor :
The
group_attribute_name
(required) field should be filled in with the name of the SAML or OIDC attribute containing a user's group name. In the example below the value for this field would be "Group"
Authentication Settings configuration of jit.
An example of a Group Attribute Statement configuration in Okta.
The
tenant_owners_group
(optional) field, when provided, provisions users in the SSO group matching this field as tenant owners.The
tenant_permissions
(optional) field, when provided, assigns individual tenant permissions to users based on their SSO group.An object in the
mappings
array containing ansso_group
with a value matching the name of the desired group in your identity provider,team_name
with a value matching the name of the Tines team users from this SSO group should be placed into, androle_name
with a value matching the desired team role for those users (team_admin, editor, or viewer). In scenarios where a user is mapped to a team via more than one group, the first applicable entry in the list will be used.
Note: Ensure to use the correct case when populating each value. E.g. if the team_name is "TEST" ensure to populate it in that case.
The following example shows how to assign the SSO group called Administrators
to get "Tenant Owner" status, and assign members of several groups to join specific teams with different roles.
{
"tenant_owners_group": "Administrators",
"group_attribute_name": "Group",
"mappings": [
{ "sso_group": "Administrators", "team_name": "Analytics", "role_name": "TEAM_ADMIN" },
{ "sso_group": "Managers", "team_name": "Analytics", "role_name": "TEAM_ADMIN" },
{ "sso_group": "Managers", "team_name": "Incident Response", "role_name": "EDITOR" },
{ "sso_group": "Analysts", "team_name": "Analytics", "role_name": "EDITOR" },
{ "sso_group": "Everyone", "team_name": "Incident Response", "role_name": "VIEWER" },
],
"tenant_permissions": [{ "sso_group": "Managers", "permission": "AUDIT_LOG_READ" }],
}
Optional: For a new user's first name, last name, and avatar to be automatically configured when signing on, the givenname, surname, and avatar attributes can be added to the SAML statement or OIDC claim.
🪄Tip
Enhanced Just-in-time syncing
As an addition to just-in-time user provisioning administrators can also enable 'Enhanced Just-in-time syncing'. This feature enables syncing of a users teams and roles from their IdP on every login.
Once this is enabled on a tenant, a users team memberships and roles are provisioned and synced in Tines to match changes made to resources on the Identity Provider. As a result, managing a user's team and role assigments via Tines will now be disabled.
❗️Important
To setup:
Follow steps for configuration of JIT above. This feature is compatible with existing jit configurations so current mappings will work.
Enable the checkbox entitled "Enhanced Just-in-time syncing".
Now on each login a user's team and role assignments will be synced from their IdP settings.
Authentication Settings configuration of enhanced JIT syncing.