# Provision user accounts Just-In-Time (JIT)

Organizations where the SSO connection is set up, the enterprise users maybe yet to sign up on your application before they can access your application. Scalekit can automatically provision the user accounts as they sign in through SSO for the first time and creates a membership with an organization instantly. Your app will receive the user's profile and organization membership details. This is called Just-in-time (JIT) provisioning.

This eliminates the need for manual invitations and allows users to access your application immediately after authenticating with their identity provider. JIT is enabled by default once you [integrated](/authenticate/fsa/quickstart/) and enabled [the SSO connection](/authenticate/auth-methods/enterprise-sso/).

<details open>
<summary><IconTdesignSequence style="display: inline; width: 1rem; height: 1rem; vertical-align: middle; margin-right: 0.5rem;" /> Review the JIT provisioning sequence</summary>

```d2 pad=50
title: "JIT Provisioning Flow" {
  near: top-center
  shape: text
  style.font-size: 20
}

shape: sequence_diagram

User -> IdP: Authenticate through SSO
IdP -> Scalekit: Send user attributes
Scalekit -> Scalekit: Verify email domain \n matches organization domains
JIT Provisioning: {
Scalekit -> Scalekit: Create user record \n with IdP attributes
Scalekit -> Scalekit: Create organization \n membership
Scalekit -> Scalekit: Assign default roles \n as per your app
Scalekit -> Scalekit: Sync user profile \n from IdP
}
Scalekit -> Your App: Return user profile \n and membership details
Your App -> User: Grant access to application
```

</details>

## Manage JIT provisioning

Manage JIT provisioning settings for each organization through the Scalekit Dashboard. Register organization domains to enable automatic user creation, and configure whether Scalekit should sync user attributes every time users sign in through SSO.

1. ### Register organization owned domains

    Register email domains for your organization to enable JIT provisioning. JIT provisioning only works for users whose email domain matches one of the organization's registered [Organization domains](/authenticate/auth-methods/enterprise-sso/). This ensures that only verified members of the organization can be automatically provisioned.

    **Contractors and external users** with non-matching domains (for eg, `joe@ext.yourapp.com`) cannot be automatically provisioned. These users must be <a href="/fsa/guides/user-invitations/">manually invited</a> to join the organization. This ensures that unauthorized users cannot obtain access automatically.

2. ### Toggle JIT provisioning on or off

    **JIT provisioning is enabled by default** once you [integrated](/authenticate/fsa/quickstart/) and enabled [the SSO connection](/authenticate/auth-methods/enterprise-sso/). You can toggle JIT provisioning on or off from the Scalekit Dashboard.

    Go to **Organizations** and select the target organization > **Single Sign On** → **Settings** → **Just-in-time provisioning** section.

    ![](@/assets/docs/enterprise-sso/jit-provisioning.png)

3. ### Keep the user profile in sync with the identity provider

    Enable **Sync user attributes during login** to keep user profiles updated. When enabled, Scalekit updates the user's profile using attributes from the identity provider each time they authenticate.

    This keeps the user's profile in Scalekit aligned with the external Identity Provider.

    ![](@/assets/docs/enterprise-sso/sync-user-profile.png)

4. ### Using self-service Admin Portal for organization admins

    Your customers (organization admins) can manage JIT provisioning settings through the Admin Portal, including registering organization-owned domains, toggling JIT provisioning on or off, and keeping user profiles in sync with the identity provider.

    [Generate and share Admin Portal](/guides/admin-portal/) with your customers to set up SSO for their organization.  Your end customer can manage the JIT configuration in **Admin portal** > **Single Sign On** > **Settings** > **Just-in-time provisioning** section.

## Common JIT provisioning scenarios

<details>
<summary>Why isn't a user automatically provisioned during SSO login?</summary>

JIT provisioning only works for users whose email domain matches one of the organization's registered [Organization domains](/authenticate/auth-methods/enterprise-sso/). If a user's email domain doesn't match, they won't be automatically provisioned.

**Solution**: Register the user's domain in [Organization domains](/authenticate/auth-methods/enterprise-sso/) or [manually invite](/fsa/guides/user-invitations/) the user to join the organization.
</details>

<details>
<summary>Why are user roles not assigned correctly during JIT provisioning?</summary>

During JIT provisioning, users are assigned the organization’s default member role. If roles are not being assigned as expected, the default role may be missing or misconfigured for the organization.

**Solution**: Review SSO connection settings for default role assignments in **Dashboard > Organizations > [Organization] > Default role for member**.
</details>