Automatic User Provisioning Overview
Streamline administrative overhead by taking advantage of automated processes that can create and update user information in Laserfiche Cloud based on information in your SAML identity provider. These options can assist administrators with keeping user information synchronized between Laserfiche Cloud and an organization's identity provider without the administrative burden of manually creating and modifying user information through the Users page.
Laserfiche supports two types of automatic user provisioning options:
- Just-in-time (JIT) Provisioning creates and updates user information at the point of a user signing in based on attributes included in their SAML token.
- SCIM Provisioning synchronizes user and group membership information with an identity provider on a continuous basis using the SCIM 2.0 protocol.
Which option is right for your organization?
Both options can automatically create and update user information from a SAML identity provider, but provide slightly different user experiences. For organizations looking for minimal configuration and only need to provision users at first sign-in, just-in-time provisioning may be the right option. For organizations that need full user lifecycle management, including deprovisioning and group synchronization, SCIM may be the better choice. The following table contrasts some of the differences in behavior between the two options that can help you choose the one that works best for the organization.
| Feature | Just-in-time | SCIM |
|---|---|---|
| Synchronization schedule | When a user signs in via single sign-on | Signaled by changes in the identity provider |
| User creation timing | On first sign-in | When a user provisioning request is sent by the identity provider |
| User deprovisioning | Not supported | User will be automatically disabled in Laserfiche Cloud |
| Group membership synchronization | Not supported | Supported |
| Group-based license rules | Supported | Supported |
| Configuration complexity | Low | Moderate |
| Automation level | Medium | High |
Note: Only one automatic provisioning method can be active at a time. Administrators can choose to switch methods at any time, but switching methods will discard the previous provisioning configuration settings and require reconfiguration. Existing user data is not modified.