Single Sign-On
      Back to home
      1. Help Center
      2. Technical
      3. Single Sign-On

      Just In Time SSO User Provisioning

      Purpose: Empowering Seamless User Access and Management through SSO

      Prokeep's Just In Time (JIT) User Provisioning feature is designed to streamline user access and management through Single Sign-On (SSO). By integrating automation with custom SAML 2 SSO attributes from your identity provider (IDP), we offer a smooth and efficient experience for user provisioning and updates within Prokeep.

      Key Components:

      1. Attribute Mapping:

          1. Username: the username will be the main identifier for a user attempting to login. This should be the same value they use to sign in to their IdP (entra, google workspace, etc) 
          2. Contact Email: If your organization does not use email addresses for sign in, we will need to populate a separate field in Prokeep so email notifications can go out. If  your organization does use email for usernames when signing in, please disregard this field 
          3. First and Last Name: Prokeep will need to be able to read the first and last name of the user in order to create them. 
          4. Job Title: this is an optional field in Prokeep to provide additional context about a user.  
          5. Group Mapping: Assign users to the appropriate Prokeep Group based on attributes such as job locations or branches. This is facilitated by associating the location/branch code with the external ID of Prokeep Groups. Consistency in location codes across users ensures accurate group assignments.
          6. Region Mapping: if you are using Prokeep Regions, we can automatically assign users to those regions - and all the groups therein - by mapping  associating a value from your Identity Provider with the external ID for a Region in Prokeep. Consistency in location codes across users ensures accurate region assignments.

      User Provisioning and Updating Flow:

      jit-sso

       

      1. Initial Authentication:

          • Upon a user's first SSO authentication into Prokeep, our system will automatically create their account.
          • Users will be added to the designated group based on attribute mapping, and their role will be assigned according to the role mapping.

        2. Exception Handling:


          • If a user attempts to login within invalid usernames or does not have a group match in Prokeep, then they will not be provisioned in Prokeep and redirected to an error screen.
          • Admins are notified via email about user provisioning errors, allowing manual permissions adjustment.

        3. Automated Updates:


          • User updates are seamlessly managed through the same attribute mapping used for provisioning.
          • Users cannot be edited in Prokeep. Automated updates are triggered whenever a user's role or group assignment in Prokeep doesn't align with their IDP information upon login.
          • Automated updates do not support deactivation of users. Deactivation will need to be completed within the User management page. Users who have been deactivated may be reactivated on subsequent logins if they are granted access in the IdP once more.

        With Prokeep's Just In Time SSO User Provisioning, enjoy a hassle-free approach to user management, ensuring accurate access and permissions across your organization. For further assistance or inquiries, don't hesitate to contact your technical account manager.