Articles on: Security & SSO

Just-in-time (JIT) provisioning

Just-in-time (JIT) provisioning


Once Single Sign-On is set up, you don't need to invite your team members one by one. With

just-in-time (JIT) provisioning, an account is created automatically the first time someone

signs in through your identity provider.


This article explains what happens, what role new people get, and the one thing you'll still need to

do yourself.


JIT provisioning is available once Single Sign-On is set up for your organisation. See [Setting

up Single Sign-On (SSO)](https://help.smartcore.io/en/article/configure-single-sign-on-sso-1bwzc8r/).



How it works


  1. A team member signs in using their work email on your verified domain (for example

jordan@acme.com).

  1. If they don't already have a Smart Core Connect account, one is created for them automatically

using the name and email from your identity provider.

  1. They're added as a Member of your organisation (see below).
  2. They can start using Smart Core Connect straight away.


There's nothing for the user to set up, and nothing for you to prepare in advance — it just works the

first time they sign in.



What role do new people get?


New users are always created as Members — never as administrators. This gives them a standard

level of access to your organisation.


If someone needs a different level of access (for example, an organisation administrator), an org

admin can update their role in Smart Core Connect once they've signed in for the first time.



The one thing you still need to do: assign sites


JIT provisioning creates the account and sets the organisation role, but new users start with

no site access. Until you assign them to a site, they won't see site-specific content such as

bookings, visitors, or announcements.


After someone signs in for the first time:


  1. Find them in your organisation's user list.
  2. Assign them to the relevant site(s) and set their site role.



When someone leaves


If you also use Directory Sync (which keeps your user list aligned with your identity provider

automatically), then when someone is removed from your directory their Smart Core Connect account is

disabled — not deleted. They can no longer sign in, but their history is preserved for your

records.


A couple of things worth knowing:


  • Disabling is reversible. If a person is added back to your directory, their account can be

re-enabled.

  • Your manual decisions stick. If you disable someone yourself in Smart Core Connect, they stay

disabled even if your directory still lists them as active.


Interested in keeping your whole user list in sync automatically? Ask your Smart Core Connect

account manager about Directory Sync.



Frequently asked


Do I need to invite users before they can sign in?

No. With SSO and JIT provisioning, accounts are created automatically on first sign-in.


Someone signed in but can't see anything — why?

They most likely haven't been assigned to a site yet. Assign them to the relevant site(s) and their

content will appear.


Can I still invite people manually?

Yes. JIT provisioning sits alongside manual invitations — it's just there to save you the work for

people who arrive through SSO.





Updated on: 15/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!