Picture this. You show up at an office you have never visited, and nobody pre-printed a badge with your name on it. You walk to the front desk, show the company ID your employer gave you, and the receptionist reads your details straight off it and prints your access badge on the spot. No paperwork the week before. No drawer full of badges for people who might show up someday.

Just-in-Time (JIT) Provisioning is Salesforce doing exactly that with user accounts. It automatically creates a user the first time that person logs in through SAML (Security Assertion Markup Language), the standard that lets one system securely vouch for a user's identity to another. In a typical JIT setup, users do not need to be pre-created in Salesforce before their first login.

The key is where that information comes from. The user's details don't start in Salesforce. They come from another system, the Identity Provider (IdP), which already knows who your people are. Salesforce trusts that information because it arrives as a signed assertion from an IdP you have configured to trust, then maps the allowed attributes onto the new user.

If you run a team where new people arrive all the time, this is the difference between manually setting up every user in advance and letting the login itself do the work. For most organizations, that is a pile of quiet admin effort that simply disappears.

What Happens During JIT Provisioning?

Let's take the example of the office front desk again. The employer is the trusted party that issued the ID. The building is the place the person is trying to get into. Here is the same story, in Salesforce terms:

1. The user authenticates to the IdP, the trusted party that already knows who they are (the employer who issued the ID).

2. The IdP sends a SAML Assertion, a signed message carrying the user's attributes (the ID card itself).

3. The Service Provider (SP) reads those attributes, things like name, email, and role (the front desk reading the card).

4. If that user doesn't exist yet, the SP creates a brand new user from that information (the badge printed on the spot).

No user account exists ahead of time, although the supporting Salesforce configuration must already be in place. There is no drawer full of pre-made badges for people who might show up someday. The first valid login is what brings the user into existence. And JIT is not only about creating users. When the user already exists, it can update their details on login too, depending on your configuration.

How JIT Provisioning Actually Works

In JIT, the information about the user travels inside an attribute statement in the SAML Assertion. On the Salesforce side, this is handled by an Apex JIT Handler class. By configuring the IdP, you decide exactly which values get passed across to the SP. In other words, you control what the ID card says before the user ever walks up to the desk.

Salesforce recognizes specific SAML attribute names for standard JIT provisioning, while custom Apex handlers allow more flexible mapping logic. It does not blindly copy everything the IdP sends. In that standard configuration, attributes are typically prefixed with "User." to map them to User fields (for example User.Email), and you can include custom text-type fields too.

A few details are worth pinning down, because this is where setups quietly break:

• Take into account the fields required on the User record, such as Email, LastName, Username, and ProfileId. The assertion needs to provide whatever your org requires to create the user.

• Salesforce needs enough information to determine which Profile to assign. In standard JIT implementations this is often provided as a ProfileId, while custom Apex handlers can derive the Profile from other attributes such as a profile name or business role.

• JIT provisioning failures typically appear during login, but detailed troubleshooting often requires reviewing Salesforce Login History, SAML validation tools, debug logs, or IdP logs.

When Should You Use JIT Provisioning?

JIT Provisioning is at its most powerful in environments where:

• User accounts don't already exist in the SP, so there is nothing to pre-load (these are first-time visitors, the desk has no badge on file for them).

• Admins would rather not create every user by hand (no one wants to hand-make a badge for each visitor).

• A centralized IdP already manages your users (one trusted source for everyone's identity).

If that sounds like your org, you are exactly the audience this was built for. The more people you onboard, the more JIT pays you back.

Final thought

Pre-creating users is one of those chores that feels small until you are doing it fifty times a month. JIT Provisioning hands that job to the login itself. The IdP already knows who your people are, so let it tell Salesforce, and let Salesforce build the user the moment it is actually needed. You set it up once, and from then on the front desk takes care of the rest.

Connect with me on LinkedIn to share ideas or provide feedback Vítor Batista | LinkedIn.