Just-In-Time (JIT) User Provisioning

Raidiam Directory’s Just-In-Time (JIT) User Provisioning couples external Single Sign-On (SSO) with fine-grained, policy-driven permission management. The feature enables organisations to delegate user lifecycle management to their trusted Identity Providers (IDPs) while ensuring that every Directory login results in an up-to-date local user record–complete with the correct roles, group memberships, and audit metadata.

JIT enables you to bring your own IDP, bind it to an Authorisation Server, describe which email domains it governs, map IDP “groups” to Directory permissions, and make the platform handle the rest at authentication time.

JIT Benefits

• Zero-Touch Admin

  New hires gain instant Directory access the moment they appear in the organisation’s IDP. Departures are automatically de-provisioned.

• Consistent Security Posture

  The Directory mirrors the IDP’s view of each user, eliminating stale or over-privileged accounts.

• Audit-Ready

  Every change—provision, role grant, or revoke—is captured with the acting IDP & group context, satisfying compliance requirements.

JIT Core Concepts

Term	Definition
SSO Configuration	Top-level object that represents an IDP integration for a given Authorisation Server. Includes display name, contacts, DNS proof of domain control, and a generated redirect URI.
SSO Configuration Version	A versioned snapshot of IDP connection details (client ID, allowed domains, auth policies, group claim). Any change requires Ecosystem Super-User approval.
Restricted Domains	Email domains that must use the linked IDP. May include a wildcard (*).
Supported Domains	Email domains that may use the IDP (fallback to Raidiam IDP is allowed).
Group	Directory object that pairs an IDP “external group ID” with a human-readable name. Used to grant permissions.
Permission Management Service	Internal API that processes signed JIT provisioning requests and reconciles Directory state.

How It Works

1. A user enters their email to log in.

2. Raidiam determines which IDP is responsible for that domain.

3. If the domain is managed by an external IDP, the user is redirected to authenticate there.

4. Upon success, the IDP returns a signed ID token containing group information.

5. The Directory:

   • Wraps this ID token in a secure provisioning request.

   • Validates it against the configured group mappings.

   • Provisions or updates the user in real time.

6. The user receives an active Directory session with correct permissions.

High-Level JIT Flow

Where JIT Lives in the Directory

JIT provisioning is configured at the Authorisation Server level. Each Authorisation Server can be linked to an external Identity Provider (IDP) via an SSO Configuration, where domain ownership is validated and IDP metadata is stored (e.g. client ID, group claim).

Each configuration is versioned. Only one version can be active at a time, and every version must be explicitly approved by an Ecosystem Administrator before it is usable. This ensures that sensitive changes (like updating trusted domains or authentication policies) go through the proper governance process.

In order for an IDP to provision users with roles and permissions, its configuration must be mapped to one or more Groups within the Directory. These Groups determine:

• Which organisations the IDP is allowed to manage.
• What kind of permissions (e.g. Organisation Admin, Domain User) the user should receive.
• Under which systems and roles those permissions are applied.

Only Ecosystem Administrators with the appropriate access can create these group-to-permission bindings.

Security & Audit Highlights

• Domain Control Proof – TXT record required before any IDP can assert ownership of a domain.

• Version Approval Workflow – All breaking changes gated by Ecosystem Super-User review.

• Scoped Permissions – An IDP can only grant Organisation Admin rights to orgs that have explicitly opted-in.

• Immutable Audit Trail – Every provisioning event stores: user, acting IDP, group IDs, diffed permissions, timestamp.