Skip to main content

SSO Just-In-Time user provisioning guide

Technical details for configuring Waitwhile for SSO JIT user provisioning

Chris Klemming avatar
Written by Chris Klemming
Updated over a week ago

Waitwhile supports Just-in-Time (JIT) user provisioning so that your organization can allow new staff members to immediately get access to the Waitwhile platform, without having to be invited. This technical guide covers configuration details.

Just-in-Time (JIT) User Provisioning with Waitwhile

Waitwhile supports Just-in-Time (JIT) user provisioning to streamline user access through SAML-based SSO. With JIT enabled, your organization can automatically create user accounts and assign them to the appropriate resources without needing to send invitations.

This guide outlines how to configure JIT provisioning, the required and optional SAML assertion fields, and potential errors to watch out for.

Configuration Overview

To enable JIT provisioning, your SAML provider must include specific SAML assertion fields in the authentication response. These fields help Waitwhile determine where to assign the new user and what permissions to grant.

Supported SAML Assertion Fields

Field

Required

Description

Example

locationIds

Yes (or one of the below location fields)

Comma-separated list of Location IDs. Used to assign users to specific locations.

PHVJPyzMZE2cs363YrXg,3zEENiB5VIclI6qdzOU1,2KFeB5DtP9D1BWjO4cao

locationShortNames

Yes (alternative to locationIds)

Comma-separated location short names.

store-a,store-b,store-c

locationShortNamePrefix

Yes (alternative to locationIds)

Assigns user to all locations starting with this prefix.

store-

accountId

Optional

If not provided, Waitwhile attempts to infer it from the location.

0fvAJf8TpjmD4NamnKMh

roles

Optional

Comma-separated user roles. Defaults to EDITOR.

EDITOR,ADMIN

name

Optional

User’s full name. Defaults to the email name if not provided.

John Doe

connectResource

Optional

If true, links the user to a resource with the same email.

true

resourceCategoryId

Optional

ID of resource category to create a new resource in (if no email match). Only works if connectResource is true.

pYidP6iudNL3T880V3tY

Example SAML Assertion Snippet

<saml2:Attribute Name="locationIds" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">                            
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
PHVJPyzMZE2cs363YrXg,3zEENiB5VIclI6qdzOU1
</saml2:AttributeValue>
</saml2:Attribute>

Common Errors

Error Message

Explanation

Missing location IDs or short names

You must provide at least one of: locationIds, locationShortNames, or locationShortNamePrefix.

Locations do not belong to a single account

All locations provided must be under the same Waitwhile account unless accountId is explicitly set.

Cannot resolve account from locations

If accountId is not provided and no account can be determined from the locations, provisioning fails.

Invalid or non-existing location IDs

Make sure all provided location IDs exist and are valid.

Invalid or non-existing short names

Ensure all short names match existing locations in your Waitwhile account.

Short name prefix matches multiple accounts

Prefix should only match locations from one account.


Have additional questions or need assistance? Reach out to us via chat or at support@waitwhile.com.

Did this answer your question?