Skip to main content

Search

How can we help?

Just-in-Time (JIT) Provisioning (SAML)

Just-in-Time (JIT) Provisioning automatically creates Reachdesk users the first time they log in via Single Sign-On (SSO). This removes the need for admins to manually create user accounts as teams grow.

 

What Is Just-in-Time (JIT) Provisioning?

When SAML2 authentication and JIT Provisioning are enabled:

  • A user who does not yet exist in Reachdesk can log in through SSO.

  • Reachdesk automatically creates the user account on their first login.

  • The new user can immediately access Reachdesk with a default role.

This simplifies onboarding and reduces admin workload.

 

Supported Identity Providers

JIT provisioning works with any identity provider that supports SAML2 authentication, including:

  • Salesforce

  • Google

  • Okta

  • OneLogin

  • Any other SAML2-compatible provider

 

How to Enable JIT Provisioning

Steps

  1. Navigate to Organization → Settings.

  2. Open Single Sign On and click on Setup.

  3. Enable Just-in-Time (JIT) Provisioning.

Once enabled, new users will be automatically created when they log in through SSO for the first time.

 

How Reachdesk Creates New Users

When a user signs in through SSO for the first time:

  • Reachdesk automatically creates a new user account.

  • The user is assigned the default Sender role.

 

Automatic Team Assignment

Reachdesk can automatically assign users to a Team based on their group in the identity provider.

How It Works

If the group name from the identity provider matches a Reachdesk team name, the user will automatically be added to that team.

Example: Matching Group Name

  • Identity provider group: Marketing

  • Reachdesk team: Marketing

Result:

  • The user is automatically assigned to the Marketing team in Reachdesk.

Example: No Matching Team

  • Identity provider group: UK Sales

  • No UK Sales team exists in Reachdesk

Result:

  • The user account is created, but no team is assigned.

Admins can manually assign the user to a team later if needed.

 

What Happens If a User's Group Changes?

JIT provisioning only applies when the user logs in for the first time.

If a user's group changes in the identity provider after their account is created:

  • The user’s team assignment in Reachdesk will not automatically update.

  • Any changes must be handled manually in Reachdesk.

 

What Happens If a User Is Deactivated in the Identity Provider?

If a user is deactivated in the SAML identity provider:

  • The user will remain active in Reachdesk.

  • Reachdesk does not currently support automatic user de-provisioning via SCIM.

Admins must manually deactivate the user in Reachdesk if needed.

 

Need Help?

If you need assistance with SAML or JIT provisioning, contact support@reachdesk.com.

 

Comments

0 comments

Please sign in to leave a comment.