This document explains how to configure Just-in-time (JIT) provisioning for Okta users and Azure users.
With JIT enabled, Google Security Operations SOAR automatically creates the user after a successful SAML sign-in from the configured identity provider (IdP), such as Okta or Google Workspace.
Define JIT provisioning for Okta users
In Google SecOps SOAR, go to Settings > Advanced > External Authentication.
Select Okta and enter the required parameters.
Select the JIT provisioning checkbox to display the mapping fields.
In Okta >Directory > Profile Editor and see how each field is written and then copy that into the field name in the Google Security Operations SOAR platform.
Confirm the fields are are identical in the Google Security Operations SOAR platform and in Okta, and then save.
Define JIT provisioning for Azure users
In Google SecOps SOAR, go to Settings > Advanced > External Authentication.
Select Azure and enter the required parameters.
Select the JIT provisioning checkbox to display the mapping fields, then use the following standard claim URIs:
First Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
User Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Email Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. The Email Attribute can also sometimes be seen as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-24 UTC."],[[["\u003cp\u003eJust-in-Time (JIT) provisioning in Google Security Operations SOAR automatically creates users upon their initial login via a SAML provider like Okta or Azure.\u003c/p\u003e\n"],["\u003cp\u003eAdmins must configure JIT provisioning by defining and matching user fields within the SOAR platform with the corresponding fields in the chosen SAML provider.\u003c/p\u003e\n"],["\u003cp\u003eJIT provisioning can be set up for either Okta or Azure users through the "External Authentication" settings in the SOAR platform, with specific field mappings required for each provider.\u003c/p\u003e\n"],["\u003cp\u003eFor Azure, specific attributes like \u003ccode\u003ehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\u003c/code\u003e for first name, and \u003ccode\u003ehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\u003c/code\u003e for username and email attributes, need to be defined in the SOAR platform.\u003c/p\u003e\n"],["\u003cp\u003eThis function is available only for standalone SOAR platforms, and can only be configured for one SAML provider.\u003c/p\u003e\n"]]],[],null,[]]
