Just-in-time (JIT) provisioning of user access has been supported by 4me for a few years already. 4me’s advanced single sign-on capabilities have also supported OpenID Connect for a while now. What’s new is that 4me allows OpenID Connect and JIT provisioning to be combined. That makes it possible to give people, who do not yet have a person record in 4me, access to 4me Self Service with their Google, LinkedIn or Microsoft account credentials.
Setting this up is pretty easy. After creating the app or project in the identity provider, a 4me account owner can go to the ‘Single Sign-on’ section of the Settings console. There it is possible to add another single sign-on configuration for the identity provider, for example for Google.
The result is that people are able to access the organization’s self-service portal with their Google account. If they are already logged into their Google account, they will be given access to 4me, even if they do not have a person record in 4me yet. That’s because 4me’s JIT provisioning ensures that, before providing access, the information from a person’s Google account is used to generate a new person record. This person record gets populated with the name, email address, picture and language preference that is stored in his or her Google account.
The next time this person attempts to access 4me using with his or her Google account’s credentials, 4me will recognize that the person record already exists and provide access without creating another person record. If the JIT attributes (or claims) included in the response from Google contain updated information, the 4me person record gets updated automatically.
This works not only for Google, but for any identity provider that supports the OpenID Connect protocol. Since many governments already provide their citizens online access using an identity provider that supports OpenID Connect, it is now possible for these governments to give their subjects secure self-service access to 4me without having to create a person record in 4me for every citizen.