JIT (Just-In-Time) Provisioning
An identity-provisioning pattern where the user account in the destination system is created at first login rather than provisioned in advance. The flow: user attempts to access the destination, the IdP authenticates them, the IdP asserts identity via saml or oidc, the destination sees a never-before-seen user and provisions them on the fly based on the asserted attributes.
JIT is attractive because it eliminates the "provisioning gap" — the period after a new hire where they have an HR record but not yet an account in every system they'll need. With JIT, the first login creates the account.
Limitation in the AE Guardian context: the adfs-sso and other SSO connector guides explicitly state that users must be pre-synced into the AE Guardian database before SSO will work. AE Guardian does not support JIT provisioning at the SSO layer — assertions for unknown users fail. The intended pattern is: use the active-directory / okta / microsoft-entra-id connector to reconcile users into AE Guardian first, *then* enable SSO. This is a deliberate security stance — Guardian's PIAM workflows need to know about the user before the user can authenticate.
What other systems call it
Per-vendor / per-standard terminology for this same concept.
| System | Term / Notes |
|---|---|
 AlertEnterprise | Not supported at SSO layer — pre-sync required via provisioning connector |
Used by 4 connectors
Connectors in the catalog that reference this concept.