Use Case:
A customer has a 5.5K user license and 6.7K employees. They’ve identified 3.5K employees who are more likely to engage and want to provision them through SCIM. 

Additionally, they plan to communicate the new platform company-wide and aim to offer a seamless experience for employees not included in the initial provisioning. 


To achieve this, they want to activate SSO JIT alongside SCIM so that employees who access the platform via the SSO link are provisioned and granted access automatically.


Q&A

1. Can the two provisioning methods (SCIM and SSO JIT) be used simultaneously?
Yes, they can be used together. Not recommended to use 2 different provision methods.

2. How are user profile fields updated for users provisioned via SCIM and SSO JIT? Are updates supported for SSO JIT?

  • JIT creates the user only on their first login.
  • If the same user is later assigned to the SCIM app in Azure, their profile will be updated via SCIM.

3. Will employees who leave the company be automatically blocked or anonymized for both methods?

  • SCIM users: Automatically blocked via SCIM.
  • JIT users: Requires manual blocking.

4. What happens if I manually block a user provisioned through JIT and they attempt to log in again?
The user will remain blocked and will not be reactivated automatically.

5. The customer plans to launch the platform for external users on a separate tenant next year. Will JIT provision these users, or is JIT configured per user type?
External users cannot be provisioned via JIT or SCIM, as they are not a part of the company's AD.

This will require further discussion if necessary.

6. The customer also plans to launch another subsystem (Q-Impact) for a predefined group of users. Will JIT grant automatic access to this subsystem, or is it configured per subsystem?
No. Access is predefined for each subsystem. For assistance in defining the audience, please contact PS team.

7. Are there any additional considerations when using both provisioning methods?
It’s recommended to set up a test environment with both methods enabled to ensure everything functions as expected before full deployment.

Again, it is not recommended to use 2 different provisioning methods.