Just-in-time provisioning
Just-in-time (JIT) provisioning automatically creates users and organization memberships when they sign in through SSO for the first time. This feature allows users to access your application without requiring manual invitations from IT administrators. For example, users don’t need to remember separate credentials or go through additional signup steps - they just sign in through their familiar SSO portal. Your app signs them up instantly.
Introduction
Section titled “Introduction”JIT provisioning is particularly useful for enterprise customers who want to provide seamless access to your application for their employees while maintaining security and control through their identity provider.
When a user signs in through SSO for the first time, Scalekit automatically:
- Detects the verified domain - Scalekit checks if the user’s email domain matches a verified domain in the organization
- Creates the user account - A new user profile is created using information from the identity provider
- Establishes membership - The user is automatically added as a member of the organization
- Completes authentication - The user is signed in and redirected to your application
This process happens seamlessly in the background, providing immediate access without manual intervention.
Enabling JIT provisioning
Section titled “Enabling JIT provisioning”JIT provisioning must be enabled for each organization that wants to use this feature. You can enable it through the Scalekit Dashboard or programmatically using the API.
Enable via Dashboard Coming soon
Section titled “Enable via Dashboard ”- Log in to your Scalekit Dashboard.
- Navigate to Organizations and select the organization.
- Go to Settings and find the JIT Provisioning section.
- Toggle the setting to enable JIT provisioning for this organization.
Enable via API
Section titled “Enable via API”You can also enable JIT provisioning programmatically using the Scalekit API:
npm install @scalekit-sdk/nodepip install scalekit-sdk-pythongo get -u github.com/scalekit-inc/scalekit-sdk-go/* Gradle users - add the following to your dependencies in build file */implementation "com.scalekit:scalekit-sdk-java:1.1.3"<!-- Maven users - add the following to your `pom.xml` --><dependency> <groupId>com.scalekit</groupId> <artifactId>scalekit-sdk-java</artifactId> <version>1.1.3</version></dependency>// Coming soon - API to enable JIT provisioningDomain verification requirement
Section titled “Domain verification requirement”JIT provisioning only works for users whose email domains have been verified by the organization. This ensures that only legitimate members of the organization can automatically gain access to your application.
Organization admins can verify domains through the admin portal. Once verified, any user with an email address from that domain can use JIT provisioning when signing in through SSO.
Guest users
Section titled “Guest users”JIT provisioning has limitations for guest users whose email domains have not been verified by the organization:
- Contractors and external users with unverified email domains cannot use JIT provisioning
- These users must be manually invited to join the organization before they can sign in through SSO
- This ensures security by preventing unauthorized users from automatically gaining access
What’s next?
Section titled “What’s next?”- Learn about Automated User Provisioning for non-SSO authentication methods
- Explore Enterprise SSO setup and configuration
- Set up organization switching for users who belong to multiple organizations