Skip to main content

Celonis Product Documentation

Automated user and group provisioning

As your EMS team grows, you'll need to create user accounts, groups and group memberships in a scalable way.

EMS offers two solutions:

  • Just-in-time provisioning via SAML (SAML JIT).

  • LDAP sync tool.

Just-in-time provisioning via SAML (SAML JIT)

This is our recommended option because it:

  • requires no on-premise infrastructure because it's part of the Celonis EMS.

  • provisions membership and groups automatically the first time a user logs in.

  • updates group memberships continuously with every login.

  • gives users the productivity gains of single sign-on for automated user and group provisioning.

  • removes users via the User locking policy. (Updated features coming April)

There are some requirements for the identity provider:

  • Group support.

  • Application access management.

  • Groups need to be sent with the SAML claim.


This has been deprecated.

  • It's a separate Java application that needs on-premise infrastructure.

  • It synchronizes users and groups from any LDAP-capable source to the team. It can:

    • create team and group memberships for new users.

    • update existing users' group memberships.

    • remove users.

  • It selects users and groups via LDAP queries:

    • You'll need to maintain it when people join or leave the team.

    • Often scarce knowledge.

  • It requires an OpenLDAP-compatible data source.