Skip to main content
All CollectionsUser permissionsSingle Sign-On (SSO/SAML)
SSO Just-In-Time user provisioning guide
SSO Just-In-Time user provisioning guide

Technical details for configuring Waitwhile for SSO JIT user provisioning

Chris Klemming avatar
Written by Chris Klemming
Updated over 3 months ago

Waitwhile supports Just-in-Time (JIT) user provisioning so that your organization can allow new staff members to immediately get access to the Waitwhile platform, without having to be invited.

This technical guide covers configuration details.

Supported SAML assertion fields

1. locationIds

Comma-separated location IDs to which the user will be assigned.

Example

<saml2:Attribute Name="locationIds" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">PHVJPyzMZE2cs363YrXg,3zEENiB5VIclI6qdzOU1,2KFeB5DtP9D1BWjO4cao</saml2:AttributeValue>
</saml2:Attribute>

2. locationShortNames

Comma-separated location short names.

Example

<saml2:Attribute Name="locationShortNames" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">store-a,store-b,store-c</saml2:AttributeValue>
</saml2:Attribute>

3. locationShortNamePrefix

User will be assigned to all locations on the account matching the prefix.

Example

<saml2:Attribute Name="locationShortNamePrefix" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">store-</saml2:AttributeValue>
</saml2:Attribute>

4. accountId

Optional. Account ID to which the user will be assigned. If not specified, the account ID will be extracted from the given locations.

Example

<saml2:Attribute Name="accountId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">0fvAJf8TpjmD4NamnKMh</saml2:AttributeValue>
</saml2:Attribute>

5. roles

Optional. Comma-separated roles. If not provided the EDITOR role will be assigned.

Example

<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">EDITOR,ADMIN</saml2:AttributeValue>
</saml2:Attribute>

6. name

Optional. User’s name. If not provided the name will be extracted from the email.

Example

<saml2:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">John Doe</saml2:AttributeValue>
</saml2:Attribute>

Errors

Missing location IDs or location short names

No location IDs or location short names or location short name prefix given in the SAML assertion fields.

Provided locations do not belong to one account

  • Failed to extract one account ID from the given locations if the “accountId” is not provided.

  • Given location short name prefix matches more than one account.

Cannot resolve account for the provided locations

Failed to extract any account ID from the given locations if the “accountId” is not provided.

Cannot assign non-existing location(s)

One or more of the given location IDs do not exist.

Cannot assign non-existing location short name(s)

One or more of the given location short names do not exist.

Provided location short name prefix does not match any location

One or more of the given prefixes do match available location short names.

Have additional questions or need assistance? Reach out to us via chat or at support@waitwhile.com.

Did this answer your question?