Skip to main content

Celonis Product Documentation

Configuring SAML JIT single sign-on

You can enable Just-in-time (JIT) user provisioning when configuring your SSO options, allowing new users to join and access your Celonis Platform team on demand. Adopting SAML JIT user provisioning reduces the need for manual user management, with the information passed between the Celonis Platform and your IdP securely.

To enable SAML JIT SSO for your Celonis Platform team, follow the steps provided in Configuring SAML SSO and then select the optional JIT configuration:

A screenshot show how to enable just-in-time configuation.

You need to provide both the users’ first and last name attributes. We also recommend that all new users are given group attributes, assigning them permissions automatically.

The group attribute must be formatted as a multi-value inside auth response to the Celonis Platform , similar to this:

<Attribute Name="groups" ...>
<AttributeValue xsi:type="xs:string" ...>groupB</AttributeValue>
<AttributeValue xsi:type="xs:string" ...>groupA</AttributeValue>


SAML JIT takes ownership of groups that have the same name as groups that appear in the SAML claim of some users. For these groups, people will be removed depending on whether or not their SAML claim upon login lists that membership. Any group that has never appeared in any SAML claim will stay as-is, including all memberships.