Just-In-Time Provisioning via SAML
Description
With SAML JIT, you can leverage an existing SSO via SAML setup easily. It offers the following capabilities:
Provisions membership and groups upon the first login of a user
Updates group memberships continuously with every login
The authenticating party (the identity provider) needs to support the following:
Group support
Modifiable claims (Information that is sent with every login to create accounts and update groups)
Groups that the user is a member of
User email
User first name
User Last name
Application access management
User flow for a new user
Go to team URL
Authenticate with an identity provider
Accept T&C - if applicable
The E-Mail gets sent to the user - he/she needs to confirm the email address
Enter team
As the user enters, his account is created. He is also added to any groups that he is a member of. Groups that do not exist at this point in time get created and the user gets added. Newly added groups do not have any permissions assigned to them.
User flow for an existing user
Go to team URL
Authenticate with an identity provider
Enter team
If the respective option is set, the user's group memberships are updated as he enters the team.
Any new groups are then also created. No new confirmation email is sent.
Setup
Create any groups inside the Celonis EMS that you would like to assign permissions to before the first user with that group signs in
Enable SAML JIT and configure it as described in the respective section in this article
Done
Optionally, you can configure the User locking policy to remove dead user accounts from the team after a given number of days of inactivity.