Set up just-in-time provisioning

This feature is only available on our Enterprise plan. Contact sales for more information. 

Just-in-time (JIT) provisioning automates how new team members can gain access to software. When a new team member logs in to Abstract for the first time, a new account is created for them behind the scenes.  

JIT relies on your single sign-on (SSO) configuration to authenticate account access. JIT provisioning has two key benefits. You can: 

  • Share secure access to Abstract, without delay. 
  • Skip manual software credentialing and account management.

JIT specifically aids the account creation process. To manage membership information and delete Abstract accounts, consider an alternative: SCIM with Okta.

Log in with Just-in-time provisioning

When SSO is configured, anyone who tries to log in to Abstract with a company-associated domain may be redirected to sign in via your company’s SSO portal, depending on the configuration. Once authenticated, JIT and SSO together verify if those authenticated credentials are associated with an Abstract account. 

  • If an Abstract account already exists, the person is logged in as normal and proceeds to Abstract. 
  • If an Abstract account does not exist, JIT creates a new account for that person and allows them to proceed to Abstract.  

JIT provisioning works with one domain. Invite external contractors or clients who need access to your Organization.

Technical considerations

Before you implement JIT provisioning, please note: 

When you create accounts via JIT provisioning: 

  • You can't change the account email address without reaching out to Abstract’s support team. 
  • The account member can't use that account to join or create another Abstract Organization. 

If someone wants to use Abstract outside of your Organization for side projects, they should create a new account via a free trial or invitation to another Organization.

Configure Just-in-time provisioning

  1. Configure SSO. Okta, Azure AD, ADFS, Google SAML, and Amazon Web Services are officially supported SSO Identity Providers for Abstract. You can also configure SSO with another IdP.
  2. From your Identity Provider (IdP), assign users to the Abstract app. There should be an option to enable it for your entire Organization at once. 
  3. Contact your Account Manager to enable JIT for your Organization.

To configure JIT provisioning via Abstract (Service Provider initiated) in addition to your IdP (IdP initiated), be prepared to provide your Account Manager with the domain name used to identify your organization members. At our discretion, we may require proof of ownership over this domain.