Just-in-time user provisioning
You can import users into TotalAgility in several ways, such as:
-
Using LDAP synchronization that allows it to query user objects from Active Directory and create corresponding users in TotalAgility.
-
Using a TotalAgility SDK API for user creation.
When an authentication claims token is sent to TotalAgility and it correctly validates the digital signature, it can then look up a user in the TotalAgility database, based on the unique identifier supplied in the token (usually an email address). If that user object exists in the TotalAgility database, it can create a session for that user.
What if the user does not exist?
The identity provider is the single source of truth for access to applications. If IdP sends a valid claim to TotalAgility when the user is trying to sign in, then TotalAgility allows that user access without being concerned whether the user already exists in the TotalAgility database.
The fact is, the customer using TotalAgility, through the IdP, has granted access to the person who is now trying the access to the system. In this scenario, it can perform just-in-time provisioning. This is when the system gathers the user's information from the claims token and uses it to create the user in TotalAgility, simultaneously signing in the user.
What type of information do we need to create a user?
TotalAgility can gather all the information such as first name, last name, email, role, and more, from a claims token that is sent to it. If the system does not find the user in TotalAgility then it creates the user with all the provided data. It has now provisioned a user just-in-time as that user attempted to access TotalAgility. This is a powerful, advanced feature of Federated Authentication. It can help with the onboarding of new customers, as it is very easy to give access to thousands of employees through Federated Authentication and then let them be created dynamically.