Guides and TutorialsSingle Sign-On (SSO)

Just-in-Time (JIT) Provisioning

With JIT provisioning enabled on a tenant’s SSO connection, Descope creates the user on first SSO login and refreshes mapped attributes and groups on later logins. You don’t have to pre-create every account before someone signs in.

JIT is configured per SSO connection on the tenant (SAML or OIDC), under Authentication Methods → SSO.

How to enable or disable Just-in-Time (JIT) provisioning in Descope

What Descope Does When JIT Is On

On a successful SSO login:

  1. If the user doesn’t exist yet, Descope creates them from assertion attributes (email, name, and anything you’ve mapped).
  2. If the user already exists, Descope updates mapped attributes and group → role assignments from the latest assertion.
  3. If no mapped roles apply, Descope can still assign Default Roles configured on that SSO connection.

That update-on-login behavior is why JIT is useful even after the first signup, as long as people keep logging in via SSO.

JIT vs SCIM

JITSCIM
When users appearOn first (and later) SSO loginWhen the IdP pushes create/update/deactivate
Attribute / group updatesOn each SSO loginContinuously from the directory
DeprovisioningNot automatic; the user can remain until you remove them or use SCIMIdP can deactivate / remove users
Best forFast SSO rollouts, small orgs, or “login creates the account”Enterprises that require hire/fire sync without waiting for login

You can run both: SCIM for lifecycle, JIT for attribute refresh on login (or turn JIT off if SCIM should be the only writer). See SCIM and SCIM best practices.

How to Enable or Disable JIT

  1. Open the Tenants page and select the tenant.
  2. Go to Authentication Methods → SSO (and pick the right SSO profile if you use multiple IdPs).
  3. Toggle JIT Provisioning on or off.

Your customer’s IT admin can also change this in the SSO Setup Suite.

Manual field reference: SAML and OIDC configuration.

Mapping That JIT Relies On

JIT only knows what you map from the IdP:

  • User attribute mapping. Email, name, phone, and custom attributes.
  • Group and role mapping. IdP groups to Descope roles (and optional FGA mappings).
  • Default roles. Applied when no group mapping matches.

Configure those in the Console, Setup Suite, or Management API. Details: SSO user and group mapping.

Security Notes

  • Restrict SSO domains so only intended emails can hit this connection.
  • Prefer strict group → role maps over broad default roles in production.
  • If users might already exist from password/OTP, read Merging SSO identities before go-live.
  • Confirm creates and updates in Audits (LoginSucceeded and related SSO fields). See SSO audit fields.
Was this helpful?

On this page