Skip to main content

Connecting to an IDP Configured for Just-In-Time User Provisioning

Important

In a JIT environment, users are created when they first access HMP.

  • If the Group Membership attribute is defined (see Just-In-Time Settings), users are assigned to groups with information received from the IDP, as long as a matching group name (case insensitive) was previously created on HMP. For example, suppose an 'Engineering' group is created in HMP and users are assigned to an 'Engineering' group in the IDP. When one of those users accesses HMP, since the IDP sends a response to HMP that the user belongs to the Engineering group, they are automatically added to the Engineering group on HMP. If the IDP response contains a group that is not already defined in HMP, then that group membership is ignored by HMP. If no group is matched, then HMP assigns that user to the Default User Groups, if defined.
  • If the Group Membership attribute is not defined, the HMP administrator must assign groups to the users after they first access HMP, or via the Default User Groups setting.
  • If necessary, you may delete users from HMP. However, you cannot add users.

To connect HMP to a identity provider (IDP) that is configured for Just-in-Time (JIT) User Provisioning:

  1. Click the 
     icon and select Administration from the navigation drop-down menu.
  2. Click System Settings on the toolbar and then click User Provisioning/SSO on the sidebar.
    The User Provisioning pane opens.
  3. To connect to an IDP configured for JIT click the Just-in-Time bullet.
    The JIT configuration settings then become available, as shown in the following example.

  4. For each field, enter the proper values necessary for your IDP. See Just-In-Time Settings for field definitions.

    Note

    For the Default User Groups field, you must create the user groups first before you are able to enter a value. So, you will need to complete this procedure first, create the desired user groups, and then return to this screen to define the default user groups.

  5. Click Save Settings to save the connection settings.

    Note

    After clicking the Save Settings button, the current sessions for non-haiadmin users will end and they will be logged out of HMP.

  6. Create groups as necessary as described in the JIT tab at Managing Groups (LDAP/AD/JIT Only).

    Note

    See the notes before and after this procedure for more information on groups.

  7. If you would like to define default user groups, return to the User Provisioning/SSO pane. Then enter the group names in the Default User Groups field.

  8. In your identity provider, use the following value for the Assertion Consumer Service URL: https://<HMP address>/sso/callback
    For example, in Okta use this value in the ACS Url field:

When users first access HMP after authenticating via your IDP, their user accounts are created and they are assigned to the default groups or the IDP-defined groups.

Note

  • The groups specified by the IDP must already be created on the HMP. Else, the IDP's group definitions are ignored.
  • After ending your current session, if for any reason you need to bypass the your IDP login into HMP (e.g., if you experience an error during IDP JIT configuration), point your browser to https://<HMP address>/login. The standard HMP sign-in page appears, where you can use the haiadmin username and password to log in.

For more information, see Managing Users and Managing Groups (LDAP/AD/JIT Only).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close