Just-in-time (JIT) provisioning allows you to use a SAML assertion to create a CodeSignal account automatically for a new user in your organization the first time they try to log in. This eliminates the need to manually or bulk create the user accounts upfront when enabling single sign-on (SSO).
Benefits of enabling JIT provisioning
We recommend enabling this feature in your SSO/SAML setup, as it provides a number of benefits for your users’ experiences with CodeSignal:
- Reducing Administrative Overhead: Creating these accounts on demand, as part of the single sign-on process, eliminates the need to survey and procure user accounts manually.
- Improving User Adoption and Experiences: Users can use one single password and seamlessly access the CodeSignal platform without encountering potential errors or blockers due to a failure to procure an account in advance.
- Enforcing Unified Security Standards: By utilizing SSO with JIT provisioning, you can continue to leverage the security policies for your corporate network, and users won’t be creating multiple accounts and passwords.
Prerequisites
In order to enable just-in-time provisioning, SSO with SAML is required. Please refer to the following article to set it up:
Steps to Enable Just-in-Time Provisioning:
Just-in-time provisioning requires the creation of a SAML assertion. Your Identity Provider (IdP), such as Okta or Google SSO, needs to be configured to pass additional attributes along with the SAML login response in order for the user account to be automatically created.
The following fields are expected to be configured:
Field Names |
Description |
firstName |
[Required] First name of the user to be created. |
lastName |
[Required] Last name of the user to be created. |
|
[Optional] Email of the user to be created. Email must be lowercase. Ideally, this should be explicitly identified unless the NameID attribute contains the email of the user to be created. |
The configuration may differ depending on the Identity Provider you are utilizing. Below are two examples showing how to configure these fields for Okta and Google SSO, but the same approach is used for all SAML-based SSO identity providers.
By default, just-in-time provisioning will create new users under the Interviewer role on the CodeSignal platform, which is typically the desired default user type. If you have any custom requirements or mapping needs, please contact us at support@codesignal.com with some lead time to implement these customizations.
Enabling Just-in-Time Provisioning for Okta
Please follow the instructions from Okta to configure the SAML settings. In the example above, as NameID is directly utilizing EmailAddress, the email attribute is not explicitly defined. The firstName and lastName fields are mapped as additional Attribute Statements to user.firstName and user.lastName.
Enabling Just-in-Time Provisioning for Google SSO
Please follow the instructions from Google’s G Suite Admin Help to configure the SAML settings. In the example above, email, firstName, and lastName are custom attributes that have been added to map to Basic information > Primary email, Basic information > First name, and Basic information > Last name, respectively.
Testing and Debugging
Once you have completed the configuration, please contact support@codesignal.com with the field-name mappings that are used for the three attributes (email, firstName, and lastName) and we will enable just-in-time provisioning for your organization. Please wait until you receive a confirmation email from CodeSignal before proceeding to test the automatic account creation/provisioning.
Upon receiving a confirmation email from us, you should be able to test a user who is not currently set up to sign in to CodeSignal via SSO without encountering an error that the account does not exist during the sign-in process.
Please see below for a list of the possible errors and what to do if you encounter them:
Error Messages |
Description |
SSO is not enabled for [companyName] |
Single sign-on is not currently enabled for your organization. Please contact us to ensure it is properly enabled. |
Invalid SAML Response |
Please validate the SAML response to ensure it is well-formed and the NameID is properly configured. |
NameID [email] is not associated with your organization -or- Unable to find the user with NameID [email] |
If you do not get the SSO error, but the user sees this message, please contact support@codesignal.com to verify that the JIT feature has been enabled for your organization and that all three attributes are properly specified. |
An email has been sent to [email] with a confirmation link. Use it to confirm your account and retry logging in. |
The user has already had an account created in the system previously that is pending confirmation from them. |
Questions? Contact support@codesignal.com