Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

Set Up Just-In-Time User Provisioning

Learn how to set up Just-In-Time user provisioning

JIT provisioning automatically creates a new user in Foundry the first time they attempt to sign in using single sign-on (SSO). Each time the user signs in again, their profile is updated. This feature is recommended only for select organizations.

To enable JIT provisioning

Once your account is enabled:

  1. Go to Settings > Single sign-on in the Foundry Admin Portal.
  2. Check Allow automatic registration during SSO to create new users automatically if they don’t already exist in Foundry.
  3. (Optional) Check Suppress Welcome Emails to users created via SSO if you don’t want these users to receive a welcome email.

Configure Default Settings for New Users

The following steps apply only if you selected Allow automatic registration during SSO.

When new users are created during SSO, Foundry assigns them a default User Type, Role, and Location. These defaults apply only to new users and do not affect existing users. You can override these defaults using SAML attributes (explained below).

  1. Choose a Default User Type from the dropdown.
  2. Choose a Default User Role from the dropdown.

Map Required and Optional SAML Attributes

If you enabled automatic registration, you must map the following SAML attributes:

  • First Name
  • Last Name
  • Email

You may also map:

  • Location
  • User Type
  • Role

These optional attributes allow you to override the default values for specific users.

Each mapping includes:

  • Foundry User Property – The field in Foundry (e.g., First Name, Role).

  • SAML Attribute – The exact attribute name from your identity provider’s SAML assertion.

    Attribute names are case-sensitive. For example, use LastName, not lastname.

  • Is Editable? – Check this box if you want users or customer admins to be able to edit this field in Foundry. If unchecked, the field will be locked for users with SSO IDs.

Override Defaults with SAML Attributes

To override default values, include the appropriate attributes in your SAML assertion:

  • User Type:
    Provide the desired user type. If you do this, you must also include a matching Role attribute.

    Only user types valid for your account’s line of business are accepted. See the # table for valid codes.

  • Role:
    Provide the desired role. This also requires a matching User Type attribute.

    Most user types do not support role overrides, except for cc_learner (Employee Learner), which allows supervisor or non_supervisor as valid roles. These values must be lowercase.

  • Location:
    Provide the Foundry location name (not the ID) in the attribute.


Behavior for Existing Users

If Allow automatic registration during SSO is not enabled, you can still map attributes (first name, last name, email, location, user type, role) to update existing users during SSO.

If the SAML assertion includes both a User Type and a Role:

  • Foundry will assign the user that type + role combination if they don’t already have it.
  • If the user already has the type but with a different role, Foundry will update the role.
  • Foundry will not remove any existing type + role combinations.

Final Step

When you’ve finished configuring your JIT setup, click Save to apply your changes.

Typical JIT Configurations

Below are common JIT setup examples based on organizational needs. Your configuration may vary—consult your Customer Success Manager for guidance on edge cases.

  • Default User Type: Financial Education Student
  • Default User Role: Learner
  • Default Location: (leave blank)
  • SAML Attributes: First Name, Last Name, Email

Update Existing Users Only (Do Not Create New Users)

While JIT is typically used to both create and update users, you can configure it to only update existing users—preventing the creation of new accounts during SSO. This setup is not generally recommended but is supported.

To configure JIT for updates only:

  1. Do not check the Allow automatic registration during SSO box.
  2. Leave the Default User Type, Role, and Location fields empty.
  3. Add attribute mappings for any user properties you want to update during SSO (e.g., First Name, Last Name, Email, etc.).

With this configuration, only users who already exist in Foundry will be updated. No new users will be created during SSO.