Skip to main content

Celonis Product Documentation

Automated user and group provisioning

Growing your EMS team will lead to the question of how to create user accounts, groups, and group memberships in a scalable fashion.

Here, the EMS offers two solutions that help you achieve this goal using different means.

Below is a contrast of both to help you decide on one:

Just-In-Time Provisioning via SAML (RECOMMENDED)
  • A part of the Celonis EMS, does not require any on-premise infrastructure.

  • Provisions membership and groups upon the first login of a user.

  • Updates group memberships continuously with every login.

  • Remove users via the User locking policy. (Updated features coming April)

  • Requirements for the identity provider:

    • Group support

    • Groups need to be sent with the SAML claim

    • Application access management

  • A separate Java application that needs on-premise infrastructure.

  • Synchronizes users and groups from any LDAP-capable source to the team:

    • Creates team and group memberships for new users

    • Updates existing users' group memberships

    • Removes users

  • Selects users and groups via LDAP queries:

    • Need servicing if people on the team should change.

    • Often scarce knowledge.

  • Requires an OpenLDAP-compatible data source.


Most productive teams leverage SSO, so we are trying to establish SAML JIT as the preferred option for automated user and group provisioning.