JIT Provisioning Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0tjiak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
dale newhartdale newhart 

JIT Provisioning

With JIT Provisioning and Active Directory, I have seen conflicting documentation.  1.  User signs in to Okta with AD credentials and an Okta account is created.   and 2.  If you are using JIT Provisioning with Active Directory users, they must be imported first.
Which is correct?  OR what am I missing?  :o)

Thanks
Kevin TurnerKevin Turner (Okta, Inc.)
Actually both could be correct depending on which agent you are using. The newer agents 3.3.5 and above and the new JIT process does not require the users to be imported.
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Dale
#1 will work if it's configured correctly. Do you have URLs for the conflicting documents so we can update them as necessary?
Thanks.
dale newhartdale newhart
From https://support.okta.com/help/knowledge_detail?id=kA0F0000000AY48: If you are using JIT provisioning with AD users, they must be imported first. After you enable JIT, import user accounts from AD. The import process defines the set of AD accounts that can be used to create Okta accounts (whether via JIT or the confirmation process). AD accounts that are not on the import list cannot be used to create Okta accounts.

 
dale newhartdale newhart
Security>Authentication>JIT Povisioning page also refers to importing users first.
dale newhartdale newhart
Sooooo, define "configured correctly"   I have enabled JIT provisioning.  AD delegation test passes with the AD account I want to provision, but logging in with that account to stateradn.oktapreview.com fails.   Is there detailed documentation available to configure?
Thanks
Eric TiptonEric Tipton
Glad I am not the only one that found the info on JIT for AD confusing. I must have read it five times. It's still not clear to me what turning on JIT would do for me...or more importantly any potential downside to doing so. 
dale newhartdale newhart
what I found is that an Import is required to enable JIT for AD users.  (using AD Agent 3.3.5)   As long as the NO IMPORT MATCH rule is set to Manually match new user and auto-activate is unchecked ( i believe this setting could be either checked or unchecked) .   I can do an import from AD, no match is found for the imported user.  User does NOT appear in the People list.  That user can then login in to the Okta Home Page with AD credentials. (UPN format)   At that point the Okta user account IS provisioned (just in time....  :o)  )

Anyone from Okta care to confirm this behavior?

Thanks!
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Dale
Under AD > Settings, do you have an option for JIT Provisioning, Create and update users on login?
See https://support.okta.com/help/articles/Knowledge_Article/About-Okta-s-Enhanced-Active-Directory-Integration
dale newhartdale newhart
I do not have the dual OU selection.   JIT is enabled under Security > Authentication > JIT Provisioning.   What needs to be done for me to be able to see these and complete my evaluation for a client.  I am using v3.3.5 of the AD Agent
Eric TiptonEric Tipton
I had the same issue. Opened a case w. support and was told  they "need to activate a feature flag for the Enhanced Active Directory Integration". Once that was done, I was able to see the the dual OU selection.