---
title: JIT
url: https://www.tines.com/docs/admin/user-administration/jit/
updated: 2026-03-04T20:27:08+00:00
---

*[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Admin](https://www.tines.com/llm/docs/admin.md) › [User administration](https://www.tines.com/llm/docs/admin/user-administration.md)*

# JIT

*[View on tines.com](https://www.tines.com/docs/admin/user-administration/jit/)*

## Just-in-time user provisioning

With SSO enabled via SAML or OIDC, administrators can optionally enable just-in-time user provisioning. When enabled, administrators can provide a json configuration mapping a group on their SSO identity provider to a Tines team and role. Once setup, a user signing into Tines for the first time will automatically be placed in the designated team and role mapped to their SSO group in the configuration json without requiring an invitation to the tenant.

Note: A change to the just-in-time configuration will not update existing users' teams and roles unless `Enhanced Just-in-time syncing` is enabled (see below for details).

> **NOTE:** JIT support is not available in all plans, please reach out to your Tines point of contact or [Tines support](mailto:support@tines.com) to learn more about enabling it.

To setup:

1. Configure your tenant to use SAML or OIDC for single sign-on
2. Enter a value for "SSO-group-based access", so that the user group information is available to Tines when a user logs in.
3. Select Just-in-time user provisioning in the User provisioning section.
4. Configure a group mapping that has at least one entry for `mappings`, and optionally `tenant_owners_groups` and `tenant_permission`. See the [Automated user provisioning section](https://www.tines.com/docs/admin/user-administration/user-provisioning/#user-group-mappings) for details about configuring mappings.

![](https://www.datocms-assets.com/55802/1677088092-screen-shot-2023-02-22-at-9-47-27-am.png)

*An example of a Group Attribute Statement configuration in Okta.*

**Optional Mappings**

Optional: For a new user's first name, last name, and avatar to be automatically configured when signing on, the givenname, surname, and avatar attributes can be added to the SAML statement or OIDC claim.

> **TIP:** In order to ensure your Identity Provider is pushing groups and memberships to Tines correctly, you can review the "Identity Provider Groups" for a user in the admin users list and confirm that expected groups are present.

## Enhanced Just-in-time syncing

As an addition to just-in-time user provisioning administrators can also enable 'Enhanced Just-in-time syncing'. This feature enables syncing of a users teams, case groups and roles from their IdP on *every login. *

Once this is enabled on a tenant, a users team memberships and roles are provisioned and synced in Tines to match changes made to resources on the Identity Provider. **As a result, managing a user's team and role assignments via Tines will now be disabled. **

> **IMPORTANT:** If you are using the \`tenant\_owners\_groups\` configuration to automatically manage which users are granted "tenant owner" status via multiple groups, you must first ensure the groups listed for this are assigned in the Identity Provider and are passed along to Tines. Otherwise, when setting \`tenant\_owners\_groups\`, current admins who are not associated with the correct group could lose their privileges.

To setup: (at `/settings/authentication` in your tenant)

1. Follow steps for configuration of JIT above. This feature is compatible with existing JIT configurations so current mappings will work.
2. Scroll down to the User provisioning section. Click on the Switch entitled "**Enhanced just-in-time syncing**".
3. Save
4. Now on each login a user's team and role assignments will be synced from their IdP settings.

![](https://www.datocms-assets.com/55802/1760710456-jit_sync.png)

*Authentication Settings configuration of enhanced JIT syncing.*