Managing Z3 SASE > Account Onboarding > Bulk User Creation using Just-In-Time (JIT) Provisioning

Just-in-Time (JIT) Provisioning in COSGrid

COSGrid uses Just-in-Time (JIT) Provisioning to automatically create and manage user accounts at the time of first login through Single Sign-On (SSO). This eliminates the need for manual user creation and ensures seamless onboarding while maintaining centralized identity control.

1. Overview

When COSGrid is integrated with an external Identity Provider (IdP) such as:

  • Okta

  • Microsoft Azure AD

  • Google Workspace

  • OneLogin

User accounts are automatically provisioned inside COSGrid during their first successful authentication.

2. How JIT Login Works in COSGrid

Step 1: User Initiates Login

The user accesses the COSGrid portal and selects Login with SSO.

Step 2: Redirection to Identity Provider

COSGrid redirects the user to the configured IdP for authentication.

Step 3: Authentication at IdP

The IdP verifies:

  • Username / Email

  • Password or MFA

Step 4: Assertion & Attribute Transfer

Upon successful authentication, the IdP sends a SAML assertion containing user attributes such as:

  • Name

  • Email

  • Role

Step 5: JIT User Creation in COSGrid

If the user does not already exist in COSGrid:

  • A new user account is automatically created.

  • Default role and access policies are assigned.

  • User profile attributes are mapped and stored.

If the user already exists:

  • The system validates and updates attributes (if configured).

  • Login proceeds normally.

Step 6: Access Granted

The user is granted access to:

  • COSGrid Dashboard

  • ZTNA Applications

  • Web Filtering Policies

  • Configured resources based on role

3. Security Controls

COSGrid enforces strict security controls during JIT provisioning:

  • Account creation only after successful IdP authentication

  • Optional domain restriction (e.g., only @company.com)

  • Role assignment based on group mapping

  • MFA enforced at IdP level

  • Logging and auditing of first-time login events

4. Benefits of COSGrid JIT Login

  • Automated User Onboarding No manual account creation required.

  • Centralized Identity Management User lifecycle managed entirely in the IdP.

  • Reduced Administrative Overhead IT teams do not need to create users individually.

  • Improved Security Only authenticated and authorized users are provisioned.

  • Faster Deployment Ideal for organizations deploying COSGrid across multiple departments.

5. JIT vs Manual User Creation

Feature

JIT Provisioning

Manual Creation

User Creation

Automatic at first login

Admin-created

Scalability

High

Limited

Admin Effort

Minimal

High

Identity Source

IdP

Local Database

6. Recommended Use Cases

  • Organizations using SAML-based SSO

  • Enterprises integrating COSGrid with Azure AD or Okta

  • Rapid onboarding environments

  • Distributed teams requiring centralized identity governance