Skip to content

SAML JIT provisioning using Microsoft Entra ID

License

The Lightrun SAML JIT feature is only available to users on our Enterprise plan; please contact our Support team for more information.

From version 1.41, Lightrun supports adding JIT (Just-In-Time) user provisioning capabilities to Microsoft Entra ID (formerly Azure Active Directory (AD)). Provisioning SAML JIT accounts using Microsoft Entra ID involves setting up a seamless and automated user account creation process for applications integrated with Microsoft’s identity platform.

By configuring JIT provisioning, administrators can ensure that when users log in to a web application for the first time via Single Sign-On (SSO), their account is automatically created based on the information passed through SAML assertions from Microsoft Entra ID. This eliminates the need for manual account creation during onboarding, significantly reducing administrative overhead and improving the user experience.

To set up SAML JIT provisioning in Microsoft Entra ID, first set up the Lightrun Application within the Entra ID portal. This involves defining the necessary user attributes and mappings that the service provider (the web application) requires.

Once configured, when a user authenticates through Microsoft Entra ID, the system sends the relevant user attributes—such as name, email—in the SAML response to Lightrun. If the user does not already have an account, the application uses this information to create one automatically, allowing the user immediate access without further intervention.

Prerequisite: Set up Lightrun SAML with SSO in Microsoft Entra ID

To set up the Lightrun application in Microsoft Entra ID for the SSO SAML integration, see SSO SAML in Microsoft Entra AD.

Step 1: Configure SAML Attributes & Claims in Microsoft Entra ID for Lightrun

  1. Sign in to Microsoft Entra ID and click Enterprise applications in the sidebar.
  2. Select the application you created as part of the SSO configuration.
  3. Select Users and groups.
  4. Select +Add user/group. Highlight your choice in the search bar, select Select, and select Assign. Repeat as necessary to add users/groups.
  5. Select Single sign-on.
  6. Select the SAML tile. The Set up Single Sign-On with SAML page opens.
  7. Click the Edit link in the Attributes & Claims section.
  8. Click Add new claim.

  9. Add the following new claims with the indicated Name and Source attributes.

    Name Source attribute
    firstName user.givenname
    lastName user.surname

    Add new claims

  10. Click Save.

  11. Click Add new claim.

  12. Fill the values for the following fields:

    - Name: lastName

    - Source attribute: user.surname

  13. Click Save.

    The Attributes & Claims window should be populated with the following rows.

    Attributes & Claims

    Note that the additional claims section may contain additional rows.

    To synchorize the attributes, they must be defined for your user. Additionally, the first name and last name may differ from your display name.

    Display Name --half

Step 2: Enable SAML JIT Provisioning in Lightrun

  1. Log in to your Lightrun Management Portal.

  2. Click Settings on the top right-hand side of your screen to navigate to the Identity and Access Management tab > Identity Configuration.

  3. Scroll down to the Provisioning section.

    Enable JIT Provisioning

  4. Click the SAML JIT toggle to enable SAML JIT.

  5. Click Save.

Guidelines for managing users using JIT provisioning

When managing users through JIT provisioning, the following guidelines apply:

  • Provisioning Method

    Only one provisioning method can be used at a time.

  • Identity management integration

    Only a single Identity Management (IdM) system can be set with SAML JIT.

  • Adding users

    When a user is provisioned through Microsoft Entra ID, they are automatically added to the Lightrun Management Portal and flagged as JIT-provisioned.

  • Removing users

    Removing a user from JIT provisioning will not remove the user from Lightrun; manual removal is required.

  • Default Pool Assignment

    JIT-provisioned users are automatically added to the default Agent Pool and assigned user-role permissions.

  • Roles and Permissions

    Lightrun-specific roles and permissions must be assigned directly within the Lightrun Management Portal. Users can be assigned to different agent pools, inheriting the roles and permissions associated with those pools.

Last update: November 19, 2024