Learn how to automate user creation and provision when you enable SSO for 6clicks
The Just-In-Time provisioning feature enables you to automatically create and update user accounts and role assignments from your identity provider (such as Okta or Microsoft Entra ID). The creation or update is actioned when the user authenticates using Single Sign-On (SSO). This reduces the time spent on manual user management and ensures that your organization's user access is always up-to-date.
JIT provisioning can be enabled or disabled when using SSO.
Once JIT Provisioning is enabled, you should not manage roles or groups through 6clicks directly, as they will be overwritten by the assignments supplied by the Identity Provider.
Onboarding first-time users
New users and users of environments that have SSO newly set-up should NOT access 6clicks directly by using the default login URL and entering their username and password.
Instead, they should access 6clicks via your identity provider's dashboard.
If your users don't use the identity provider's dashboard, you can send them a direct link instead. The link is the same for every user of your application:
https://{6clicks host name}/account/initiate-sso?clientId={client id of application}
For example, if you are hosted on the app-au instance, and the client ID of the application in your identity provider is a1f0c150-270c-45c5-be6c-bcecc2e38cc3, then the link should be:
https://app-au.6clicks.io/account/initiate-sso?clientId=a1f0c150-270c-45c5-be6c-bcecc2e38cc3
Troubleshooting
If you are having trouble getting JIT provisioning to work, please ensure the following:
- If you are using the Hub & Spoke model, ensure the hub and all Spokes have separate SSO applications configured. See SSO best practices for Hub & Spoke for more details.
- If you are using an Okta custom authorization server, ensure the custom claim has been configured with the correct name, as per Okta SSO setup instructions.
Example scenarios
All users should be assigned at least one role.
Internal respondents
People who are internal to your organisation who should only be respondents are excluded from JIT Provisioning of roles, which means they can be assigned access via SSO, but don't have to be mapped to any roles. The same applies to advisors and trust portal viewers.
Removal of roles
If JIT Provisioning is enabled, when a user should no longer have access to 6clicks, removing the user from the role mappings in your Identity Provider should prevent the user from accessing 6clicks.
When not to use JIT
If your 6clicks administrators do not have easy access to your SSO setup and/or vice versa, and the number of internal 6clicks users is stable, you may not want to enable JIT. This then ensures that user management is centralized within 6clicks after SSO is initially set up.