Learn how to automate user creation and provision when you enable SSO for 6clicks
The Just-In-Time provisioning feature enables you to automatically create and update user accounts and role assignments from your identity provider (such as Okta or Microsoft Entra ID). The creation or update is actioned when the user authenticates using Single Sign-On (SSO). This reduces the time spent on manual user management and ensures that your organization's user access is always up-to-date.
JIT provisioning is enabled by default when using SSO.
Onboarding first-time users
New users should not try to access 6clicks directly by entering their username and password. Instead, they should access 6clicks via your identity provider's dashboard.
If your users don't use the identity provider's dashboard, you can send them a direct link instead. The link is the same for every user of your application: https://{6clicks host name}/account/initiate-sso?clientId={client id of application}. For example, if you are hosted on the app-au instance, and the client ID of the application in your identity provider is a1f0c150-270c-45c5-be6c-bcecc2e38cc3, then the link should be https://app-au.6clicks.io/account/initiate-sso?clientId=a1f0c150-270c-45c5-be6c-bcecc2e38cc3.
Troubleshooting
If you are having trouble getting JIT provisioning to work, please ensure the following:
- If you are using the Hub & Spoke model, ensure the hub and all Spokes have separate SSO applications configured. See SSO best practices for Hub & Spoke for more details.
- If you are using an Okta custom authorization server, ensure the custom claim has been configured with the correct name, as per Okta SSO setup instructions.