Just-in-Time provisioning

This feature is only available on our Enterprise plan. Contact sales for more information. 

Just-in-Time (JIT) provisioning automates how new team members can gain access to software. When a new team member logs in to Abstract for the first time, a new account is created for them behind the scenes.  

JIT relies on your single sign-on (SSO) configuration to authenticate account access. JIT provisioning has two key benefits. You can: 

  • Share secure access to Abstract, without delay. 
  • Skip manual software credentialing and account management.

Note: JIT specifically aids the account creation process. To manage membership information and delete Abstract accounts, consider an alternative: SCIM with Okta.

How Just-in-Time provisioning works

When SSO is configured, anyone who tries to log in to Abstract with a company-associated domain may be redirected to sign in via your company’s SSO portal, depending on the configuration. Once authenticated, JIT and SSO together verify if those authenticated credentials are associated with an Abstract account. 

  • If an Abstract account already exists, the person is logged in as normal and proceeds to Abstract. 
  • If an Abstract account does not exist, JIT creates a new account for that person and allows them to proceed to Abstract.  

Note: Just-in-Time provisioning works with one domain. Invite external contractors or clients who need access to your Organization.

Technical considerations

Before you implement Just-in-Time provisioning, please note: 

  • You’ll need to configure SSO first. 
  • JIT and SCIM provisioning cannot be used together. 
  • Only one domain can be used with JIT, per Organization. 

When accounts are created via Just-in-Time provisioning: 

  • You will not be able to change their account email address without reaching out to Abstract’s support team. 
  • The account member will not be able to use that account to join or create another Abstract Organization. 

Tip: If someone wants to use Abstract outside of your Organization for side projects, they should create a new account via a free trial or invitation to another Organization.

How to configure Just-in-Time provisioning

  1. Configure SSO. Okta, Azure AD, ADFS, Google SAML, and Amazon Web Services are officially supported SSO Identity Providers for Abstract. You may also configure SSO with another IdP.
  2. From your Identity Provider (IdP), assign users to the Abstract app. There should be an option to enable it for your entire Organization at once. 
  3. Contact your Account Manager and we will enable JIT for your Organization.

Note: To configure Just-in-Time provisioning via Abstract (Service Provider initiated) in addition to your IdP (IdP initiated), be prepared to provide your Account Manager with the domain name that will be used to automatically identify your organization members. We may require proof of ownership over this domain, at our discretion.