SAML JIT provisioning and account creation: where teams get it wrong

TL;DR: SAML just-in-time provisioning automates first-login account creation through an identity provider, but it only works when the service application supports SAML and when teams understand its limits versus SCIM and just-in-time privilege, according to Zluri. The governance issue is not speed alone, but whether onboarding automation is being mistaken for lifecycle control.

NHIMG editorial — based on content published by Zluri: Best Practices Just In Time Provisioning: Simplifying User Account Creation

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should security teams implement just-in-time provisioning safely?

A: Use it only for supported applications, then pair it with lifecycle controls that handle updates and offboarding.

Q: Why do just-in-time provisioning and SCIM solve different problems?

A: JIT creates an account when the user first authenticates, while SCIM manages create, update, and delete operations across the lifecycle.

Q: What breaks when first-login account creation is used as the only control?

A: Teams often end up with stale accounts, duplicate records, and no reliable path for revocation or attribute updates.

Practitioner guidance

• Separate provisioning from lifecycle control Document JIT as an onboarding mechanism only, then assign update and deprovisioning ownership to SCIM, HR-driven workflow, or access governance processes.
• Validate application support before rollout Inventory which applications support SAML-based first-login account creation and block rollout where the service provider cannot create accounts reliably.
• Check attribute quality in the SAML assertion Review the name, email, role, and other identity attributes carried in the assertion so account creation does not propagate bad source data.

What's in the full article

Zluri's full blog post covers the implementation detail this post intentionally leaves for the source:

• Step-by-step SAML login flow for first-time account creation in supported applications
• The article's distinction between JIT provisioning, SCIM provisioning, and just-in-time privilege
• Examples of where manual account creation creates duplicate or inactive users
• The vendor's own walkthrough of integrating access management with HRMS inputs

👉 Read Zluri's guide to just-in-time provisioning and account creation →

SAML JIT provisioning and account creation: where teams get it wrong?

Explore further

View Full Forum →  |  NHI Foundation Course →