Currently, this feature is behind the feature flag
PL_ENABLE_JIT_USER_PROVISION. Contact Harness Support to enable the feature.
Automated provisioning eliminates repetitive tasks related to manual provisioning and simplifies user management.
Just-in-time (JIT) provisioning in Harness lets you provision users automatically when they first sign-in to Harness through SAML SSO. Harness supports JIT provisioning only for new users logging in through an IdP, such as Okta.
Here's how JIT provisioning works:
- You add a user to your SAML application.
- The user logs in to Harness through SAML SSO.
- Harness automatically provisions the user and grants access accordingly.
Before you can enable JIT provisioning, you must configure SAML SSO authentication.
- Microsoft Entra: SAML SSO with Microsoft Entra ID
- Okta: SAML SSO with Okta
- OneLogin: SAML SSO with OneLogin
- Other: SAML SSO with Keycloak
Enable JIT provisioning in Harness
In Harness, select Account Settings, and then select Authentication.
Select SAML Provider to add a new SAML provider.
Enter a Name for the SAML provider.
Select your SAML SSO provider.
Select Enable JIT Provisioning.
Enter the JIT Validation Key and JIT Validation Value.
These settings allow you to control which users can be automatically provisioned in Harness on their first login. These settings define the validation key-value pair that must be present in the SAML assertion on the first login.
When users log in to your Harness instance for the first time, and they use SAML SSO authentication, Harness automatically provisions any users that have the matching JIT Validation Key and JIT Validation Value in the SAML assertion.
If you don't specify a JIT Validation Key and JIT Validation Value, Harness uses JIT provisioning to provision all new users logging in through SAML.