How do I utilize just-in-time provisioning as a DocuSign Administrator?

What is just-in-time provisioning?

Just In Time (JIT) Provisioning is a native feature of DocuSign's Access Management with Single Sign On (SSO) offering. JIT Provisioning allows for automatic provisioning of DocuSign users from the Identity Provider(s) associated with an organization. When DocuSign receives an SSO login request (also known as a SAMLResponse) from your Identity Provider for a user who does not already have an active Membership in the DocuSign organization, a new user is provisioned on the default Account/Permission Profile for your SSO configuration. This means any user who has been given permission to access DocuSign by your Identity Provider can log into and use DocuSign, even if they don't currently have an active account. With JIT Provisioning, all access to DocuSign is controlled through the Identity Provider.

How does just-in-time provisioning work?

Just In Time Provisioning works by reviewing the user attributes passed to DocuSign in a valid SAMLResponse and attempting to match them to an existing Active user. If no Active user is found within the organization, a new user is provisioned and activated automatically. See the attributes below for more information on how they are used with JIT Provisioning:
  • nameidentifier: Also known as "Federated Identifier" or "Name ID." If a user has previously accessed DocuSign via SSO, that user will have a nameidentifier attribute. This is the primary identifier for users logging in via SSO. If an end user your claimed domain logs in and an Active User matching nameidentifier is located, the end user is logged into that DocuSign user. If the emailaddress attribute from the SAMLResponse does not match the current email address of the DocuSign user, the user's email address is updated to match.
  • emailaddress: If the nameidentifier passed in the SAMLResponse does not match to any Active DocuSign User, DocuSign will attempt to locate an Active User matching all of emailaddress, givenname, and surname. If no Active user exists with all three attributes matching what is received in the SAMLResponse, a new user is provisioned.
  • givenname: Searched in combination with emailaddress and surname to attempt to locate an Active DocuSign User when no match is located for nameidentifier. If no Active user exists with all three attributes matching what is received in the SAMLResponse, a new user is provisioned.
  • surname: Searched in combination with emailaddress and givenname to attempt to locate an Active DocuSign User when no match is located for nameidentifier. If no Active user exists with all three attributes matching what is received in the SAMLResponse, a new user is provisioned.
By default, users who are JIT Provisioned are created on the default Account with the default Permission Profile for an organization. To change this behavior, you will need to include two additional attributes in your SAMLResponse to provision the user:
  • accountid
  • permissionprofileid
For more information on these attributes and how to utilize them with JIT Provisioning, please see Setting Up SSO: Identity Providers - DocuSign Admin for Organization Management .

Learn More