Overview:  This blog describes the steps to setup IBM Cloud Identity Just-in-time (JIT) integration with Salesforce SSO application with.  JIT enables automatic Salesforce user provisioning on their first sign-on to the Salesforce application from Cloud Identity.  

This configuration helps reducing the administration overhead of manual pre-provisioning users on Salesforce. 

Assumption: You must already configure Salesforce SSO application integration with IBM Cloud Identity.  Refer to my colleague’s blog on how to setup SSO integration for Salesforce application using IBM Cloud Identity: 

http://technoponder.com/how-to-configure-sso-with-salesforce-using-ibm-cloud-identity-connect/ 

How to configure JIT for Cloud Identity and Salesforce SSO: 

On Salesforce : Determine a profile ID where you would like for Salesforce to create the Just-in-time entries 

Warning:  Salesforce Just-in-time provisioning will update user profile on Salesforce if the user already exists.  If the user was previously created with a profile that is different from the selected JIT profile here, the existing user’s profile type will be  replaced or updated upon user’s first SSO to Salesforce.   Ensure that you carefully pick the right Salesforce below to use for JIT intengration. 

1. Login to Salesforce https:// https://login.salesforce.com using your administrative user   
2. Expand the Users  (1) the Salesforce setup menu and select Profiles (2) from within the section. 
3. Scroll down and Choose a profile that you would like to use for Salesforce to create Just-in-time entries 
4. Click on the link in the Profile Name column ( 3)  and  observe the profile URL.   

An example link for Idenity User profile type: https://your-salesforce-app-domain/lightning/setup/EnhancedProfiles/page?address=%2F00e3i000001Hdub 

The profileID should start with 00e , eg : 00e3i000001Hdub 

IBM Cloud Identity: Defined an Cloud Identity attribute source  that maps to one of  the existing Saleforce profile ID 

Name : Pick a unique attribute name , eg sf.ProfileID 

Type   : Select  “Fixed Value” 

Value  : Enter the Salesforce Profile ID value from the previous step.  

IBM Cloud Identity:  Configure Cloud Identity to include provisioning attributes in SAML assertion  

1. If not already, log into CI tenant as an admin,  
2. Click on the hamburger icon on the top right (1)  and select Applications 
   
   
3. Search the previously configured Salesforce SSO application that you want to enable JIT and click on the gear to edit application
   
   
4. Click on the Sign-on tab (1) and scroll to the Just-in-time Provisioning section 
5. Click the checkbox  “Include the provisioning attributes in the SAML assertion” (2) 
6.  In the Attribute Mappings section, map your Salesforce attributes to the attribute source (3).  For User.ProfileId, you must select the attribute source you created in the previous step. 

Example of mapping for required attributes : 

User.Email   -> email 

User.ProfileId -> sf.ProfileID 

User.Username -> preferred_username  

Note:   Salesforce expected this to be of email format. 

User.LastName -> family_name 

Salesforce:  Ensure that you already enable Just-in-time provisioning on the Salesforce side 

1. Login to Salesforce https://login.salesforce.com with an admin user 
2. Expand Identity (1) in the Setup Explorer menu and select Single Sign-On Settings (2) 
3. Go to SAML Single Sign-On Usting SAML  section and click Edit (3) 
    
   
4. Scroll down to Just-in-time User Provisioning section and ensure “User Provisioning Enabled” is checked.  If not, check to enable it and click Save 
   
   

Test the JIT provision 

1. Login in to Cloud Identity user dashboard with a user that doesn’t yet exist on Salesforce 
2. Click on the Salesforce application, it should single sign on the user to Salesforce.  First time user’s SSO session should trigger JIT provisioning under the cover. 
3. Login to Salesforce using admin user, you should be able to check Salesforce and see that the user is created