Skip to main content

Celonis Product Documentation

Just-In-Time Provisioning via SAML

With SAML JIT, you can leverage an existing SSO via SAML setup easily. It offers the following capabilities:

  • Provisions membership and groups upon the first login of a user

  • Updates group memberships continuously with every login

The authenticating party (the identity provider) needs to support the following:

    • Group support

    • Modifiable claims (Information that is sent with every login to create accounts and update groups)

      • Groups that the user is a member of

      • User email

      • User first name

      • User Last name

    • Application access management

User flow for a new user
  1. Go to team URL

  2. Authenticate with an identity provider

  3. Accept T&C - if applicable

  4. The E-Mail gets sent to the user - he/she needs to confirm the email address

  5. Enter team

As the user enters, his account is created. He is also added to any groups that he is a member of. Groups that do not exist at this point in time get created and the user gets added. Newly added groups do not have any permissions assigned to them.

User flow for an existing user
  1. Go to team URL

  2. Authenticate with an identity provider

  3. Enter team

If the respective option is set, the user's group memberships are updated as he enters the team.

Any new groups are then also created. No new confirmation email is sent.

  1. Create any groups inside the Celonis EMS that you would like to assign permissions to before the first user with that group signs in

  2. Enable SAML JIT and configure it as described in the respective section in this article

  3. Done

Optionally, you can configure the User locking policy to remove dead user accounts from the team after a given number of days of inactivity.