Just-In-Time User Provisioning (JIT)

Beta Callout

Just-in-Time User Provisioning is a Beta feature. For more details, reach out to your Customer Success Manager (CSM).

Overview

Just-in-Time User Provisioning lets you automate the creation and management of users in your MoEngage workspace. This feature offers easier and quicker user creation directly from your Identity Provider.

library_add_check

Prerequisites

Before enabling JIT provisioning, ensure SSO is configured and active for your workspace.

Advantages

Seamless onboarding: New team members can access MoEngage immediately without waiting for a manual invitation.
Dynamic role assignment: Roles can be automatically assigned or updated from the identity provider (if enabled by the user in MoEngage).
Temporary access: Provide session-based access to your users, where they can be automatically deleted after their session ends (if enabled by the user in MoEngage).

Access Just-in-Time User Provisioning

On the left navigation menu in your MoEngage workspace, navigate to Settings > Account > Security > Login
Click on Single Sign On (SSO) only
Note: Ensure SSO is configured (how to configure SSO)
Scroll to the Automate user provisioning section

Permissions to Access

The following table describes the permissions required to access and use JIT Provisioning:

Permission Component	Permission Name	Details
Security Settings	Setup & Manage	Allows you to view, enable, update, or disable user provisioning.

Step 1: Enable Just-in-Time User Provisioning

Turn the Automate user provisioning toggle on
The Configure provisioning method dialog box appears.
Select JIT Provisioning as your configuration type.

Step 2: Configure and Save

Provide the following fields:

Field

Required

Description

Default role

Yes

MoEngage requires a fallback role. If the role is not passed from the Identity Provider (via SAML assertion call) and does not contain the role value, the user is assigned this default role to access the workspace.
All default and custom roles are available for selection as the default role.

Update user's role

Optional

If checked, the user's role in the workspace is updated based on the value received from the Identity Provider in each SAML assertion call.

Note: If unchecked, and the user's role received from the Identity Provider is different from the role in the workspace, the user is granted access based on the role received from the Identity Provider for that particular session only, without any permanent changes to their role in the workspace.

Delete user at the end of the session

Optional

If checked, the user is deleted and removed from that workspace either when the session expires (example of session expiry: user logout, force logout, etc.) or after 24 hours (whichever happens first).

Click on Save The Save your configuration dialog box appears, prompting you to confirm your configuration.
Click on Confirm.

The enabled successfully message appears.

Identity Provider (IdP) Setup

Supported Identity Providers

Okta
Microsoft Azure
OneLogin
Any Identity Provider that supports Just-in-Time User Provisioning

Okta

Step 1: Add Role Attribute to the MoEngage SSO Application

Navigate to the Okta Admin Console.
On the left navigation menu, click Directory > Profile Editor.
On the Profile Editor page, select the MoEngage SSO application you created or use the Search for people, apps, and groups box to find it.
Click Add Attribute and enter the following details:
The Add Attribute dialog box appears.
In the Data type list, select string.
In the Display name box, enter role.
In the Variable name box, enter role.
In the Description box, enter role.
Click Save.

Step 2: Configure SAML Attribute Statements

Navigate to Applications > Applications and click the MoEngage SSO application.
Click the Sign On tab and scroll down to the Attribute Statements (Optional) section.
Click Show legacy configuration to expand the section.
Click Edit adjacent to the Profile attribute statements section and enter the following details:

Field Value

Name role

Name format Basic

Value appuser.role
Click Save.

Step 3: Assign User and Define Role

Navigate to Applications > Applications and click your MoEngage SSO application.
On the Assignments tab, click Assign > Assign to People.
In the assignment attributes modal, locate the Role field and enter the exact role name (for example, Admin, Manager, Marketer, or a custom role) as defined in your MoEngage workspace.
Click Save and Go Back, and then click Done.
To Update an Existing User:
1. In the Assignments tab, click the pencil icon next to the user.
2. Edit the role and click Save.

Step 4: Validation

After the setup is complete, log in to MoEngage via your Identity Provider (IdP). To verify that roles are being passed correctly, inspect the ACS payload and confirm that the role attribute contains the expected value as passed in the Identity Provider and defined in MoEngage (for example, Admin). This guarantees that users are assigned the appropriate role upon redirection.

Azure

Step 1: Configure Attributes and Claims

Navigate to the Azure Admin Console.
On the Azure services page, click Microsoft Entra ID.
On the Overview page, go to the left navigation menu and click Manage > Enterprise applications.
On the Enterprise applications | All applications page, find your application in the list or use the Search by application name or object ID box to find it and select the application name you want to configure from your list.
On the left navigation menu, click Single sign-on and then click Edit in the Attributes & Claims section.
On the Attributes & Claims page, click Add new claim.

On the Manage claim page, enter the following details:

Field	Required	Value
Name	Yes	Any value can be entered here (for example, role) Note: Claim name must be unique.
Name format	Optional	Leave it blank.
Source	Yes	Select the Attribute checkbox. (This is selected by default.
Source attribute	Yes	Click user. assignedroles in the drop-down list.

Click Save.
After you click Save, verify that the Role claim appears in the Additional claims list with the value user.assignedroles.

Step 2: Assign Users and Roles

Follow the steps mentioned here (Step #5) before proceeding with the steps below:

Go back to the Enterprise applications | All applications page, and click Users and groups.
Click Add user/group. The Add Assignment page appears.
Under Users, click the None Selected link. The Users dialog box pane appears on the right side.
Select the required user checkbox (for example, Security Integration) and click Select.
Under Select a role, click the None Selected link. The Select a role dialog box pane appears on the right side.
In the Enter role name to filter items box, type the appropriate role (for example, Analyst, Admin) and click Select.
Click Assign at the bottom of the Add Assignment page.

After Microsoft Entra ID successfully updates the user, the Application assignment succeeded message appears.

Step 3: Validation

After the setup is complete, log in to MoEngage through the Microsoft My Apps portal (myapps.microsoft.com) by clicking on the assigned application. You will be redirected to the login flow. During the login process, inspect the ACS payload and verify that the role attribute is present and contains the expected value (for example, Analyst). This confirms that the role is being passed correctly and ensures the user is provisioned in MoEngage with the appropriate role upon their first login.

Update/Disable JIT Provisioning Configuration

Update Configuration

Navigate to the Automated user provisioning section.
Click on Edit
Modify the required settings as needed.
Click on Save.
The Save your configuration dialog box appears, prompting you to confirm your configuration.
Click Confirm to apply changes.

Disable Configuration

Navigate to the Automated user provisioning section.
Turn the Automate user provisioning toggle off.
The Disable user provisioning dialog box appears.
Click on Confirm. The JIT provisioning disabled successfully message appears to confirm the action.

Security and Logs

2FA & firewall: Existing firewall rules apply to the users created via Just-in-Time User Provisioning as well. If 2FA is enforced for the workspace, these users must set up and enter a 2FA code upon login.
Audit logs: All activities, including enable/disable/update operations and user create/delete/update operations, are recorded in the Audit Logs under Login settings.
Notifications: Admins will receive email notifications whenever Just-in-Time User Provisioning is enabled/disabled or when a new user is created via Just-in-Time User Provisioning.

FAQs

arrow_drop_down What happens if I try to enable Just-in-Time User Provisioning while SCIM is enabled?

You cannot enable Just-in-Time User Provisioning while SCIM is enabled. You will first have to disable SCIM.

arrow_drop_down What happens if the "Delete user at the end of the session" check box is NOT selected?

MoEngage creates the user upon their first sign-in. The user remains active in the workspace until the access is manually revoked (how to revoke access).

arrow_drop_down What happens if the "Delete user at the end of the session" check box IS selected?

MoEngage creates the user for that specific session. The system automatically revokes access when the session ends or 24 hours after user creation (whichever happens first).

Note: This rule applies only to users created via Just-in-Time User Provisioning.

arrow_drop_down What happens if I switch from using SCIM to JIT?

The users created via SCIM will remain active in the workspace along with their role information. For further role updates, JIT can be used (if the option to update users' roles is selected) or Team Management > Members page can be used (if the option to update users' roles is not selected). To revoke access, refer to how to revoke access.

arrow_drop_down What happens if multiple role values are received in the SAML assertion call for a user?

MoEngage only refers to the first role value in the list in case multiple values are received in the SAML assertion call.

arrow_drop_down What happens to a user if I perform user management operations via the "Team Management > Members" page while JIT is configured?

Invite: The user is invited to the workspace.
Update Role: The user's role can be updated. However, it will only be effective if the option to update users' roles under JIT configuration is not selected.
Note: This option is provided to facilitate role updation for users who are not part of the JIT application in the Identity Provider but are part of the SSO application or are admins logging in via password (and not part of any application in the Identity Provider).
Revoke Access: The user can be deleted or the access can be revoked using the same page. However, in case the user is part of the IdP application where JIT is configured, the user can login again.