Configuring JIT user provisioning

Application management : Configuration : System Settings : General settings : JIT user provisioning : Configuring JIT user provisioning

Before JIT user provisioning can be used, some configuration is required.

Prerequisites

• SSO and Keycloak must be active in the system (Authentication).

• A user group with the appropriate default rights and license access must be available and configured as the Default user group JIT user provisioning (User groups).

• Default values for all mandatory fields in the user account (other than username) must be set in the Field definer:

We recommend using macros and some fixed default values:

◦ For single country customers, use the country's time zone as default.

◦ For multinational customers, we suggest using either the most common time zone for the company or UTC. If necessary, the time zone can always be changed by the user later.

◦ Use a date-time macro for date-time fields.

◦ Use the most used property set as the default property set.

• The special account USERPROVISIONINGADMIN must exist and be active in the application (System accounts).

Enabling JIT Provisioning

1. Go to System Settings > General.

2. Under Administrator group and end user access, enable the setting JIT user provisioning activated?.

3. Set the Default user group JIT user provisioning reference field to the desired user group.

When enabling JIT user provisioning, the application will verify whether:

• All mandatory and conditionally mandatory fields have default values.

• The Default user group JIT user provisioning is filled.

• The USERPROVISIONINGADMIN account exists.

If any prerequisites are not met, enabling JIT will fail with a message indicating what needs to be corrected.

Restrictions

• The Default user group JIT user provisioning field cannot be cleared while JIT is active.

• The fields JIT user provisioning activated? and Default user group JIT user provisioning are read-only unless Keycloak is enabled.

Points of interest

• Password management:

For Keycloak-created accounts, password changes and resets are managed by the IdP (Keycloak), not within Planon. The password field is not mandatory and cannot be set or changed in Planon for these accounts.

If a customer disables Keycloak after using it with JIT user provisioning, the accounts created during that period must be updated with a password using Planon’s existing Reset Password or Forgot Password functionality.

• Account deletion and recreation: If a Keycloak-created account is deleted or anonymized in Planon but still exists in Keycloak, it will be recreated the next time the user logs in via SSO. Therefore, if a user account needs to be ended, deleted, or anonymized, you must first perform this action in Keycloak and then in Planon.

• Account ended in Planon: if a user is ended in Planon but still active in Keycloak, they can log in but will not have access to Planon functionality.

• Special account: the USERPROVISIONINGADMIN account is used to track automated account creation and must not be deleted or anonymized.

• Audit logging: all JIT user provisioning account creations and logins are tracked in the audit log, including the Keycloak subject identifier.

• Error handling

If JIT user provisioning is disabled and a new user attempts to log in, an error message will be displayed.

If required fields are missing, login will fail with an error indicating which fields need default values.