JIT Provisioning

Just-In-Time (JIT) provisioning automatically creates user accounts when they first sign in via SSO. No manual user creation needed — users are provisioned on demand.

No setup required: JIT provisioning is enabled automatically when SSO is configured. No additional setup needed.

How JIT Works

When a user signs in via SSO for the first time, SecureCodingHub handles account creation automatically:

User signs in via SSO

A user clicks "Sign in with SSO" and authenticates through your identity provider for the first time.

Authentication response received

SecureCodingHub receives the authentication response from your IdP containing the user's identity claims.

User lookup

The system checks if a user with that email or ExternalSsoId already exists in the organization.

Account creation

If no existing user is found, a new account is created with the Learner role.

Seat check

If the organization has no available seats, the login is rejected with an error. The user is not provisioned.

Training begins

The user is logged in and can start training immediately. No manual onboarding steps needed.

What Gets Created

When JIT provisions a new user, the following profile fields are populated:

Field	Value
Email	From SSO response (NameID or email attribute)
Name	From SSO attributes (if available)
Role	Learner (default)
Auth Method	OIDC or SAML (based on SSO protocol)
External SSO ID	Unique identifier from IdP
Team	None (can be assigned later, or use SCIM)

Seat Management

JIT provisioning respects your organization's seat limit (maxSeats). When a new user attempts to sign in via SSO, the system checks whether there are available seats before creating the account.

If all seats are used, the new user will see an error and cannot be provisioned. Admins should monitor seat usage from the dashboard and upgrade their plan if they need more seats.

JIT + SCIM

For full lifecycle management, combine JIT provisioning with SCIM:

Feature	Purpose
JIT	Creates users on first login. Immediate access with no admin action required.
SCIM	Syncs user attributes, group/team assignments, and handles deprovisioning from your IdP.
JIT + SCIM	JIT creates the user on first access. SCIM keeps user data, teams, and lifecycle in sync going forward.

Recommended: Combine JIT with SCIM for the best experience. JIT handles initial access, SCIM handles ongoing lifecycle management.

Promoting Users

JIT-created users are always assigned the Learner role. JIT does not support creating Org Admin accounts automatically.

To promote a user to Org Admin, an existing admin must navigate to the Users page and manually change the user's role. This is a deliberate security measure to prevent privilege escalation through SSO claims.