Identity Patterns with the WSO2 Identity Server
JIT provision users to cloud service providers

Problem:
  • The company foo has an account with the bar cloud service provider (it can be Google Apps, Salesforce, Workday). 
  • The company foo trusts employees from the company zee to login into the bar cloud service provider, under the foo account. 
  • For example, foo company wants the users from company zee to login into its Google Apps domain.
Solution:
  • Introduce bar as a service provider (bar-sp) to the WSO2 Identity Server running at foo. 
  • Introduce bar as a provisioning identity provider (bar-idp) to the WSO2 Identity Server, and configure the provisioning protocol as supported by bar. For example, if bar is Salesforce, then one can pick the Salesforce provisioning connector. 
  • Introduce the company zee as an identity provider to the WSO2 Identity Server running at foo, and enable JIT provisioning. 
  • Under the bar-sp service provider configuration, under local and outbound authentication configuration, select zee as a federated identity provider. This means, a user who wants to login bar-sp, will be redirected to the zee identity provider for authentication. 
  • Under the bar-sp service provider configuration, under outbound provisioning configuration, select bar-idp as a provisioning identity provider. 
  • Introduce the WSO2 Identity Server running at foo as a trusted identity provider to the zee cloud service provider. For example in Salesforce, add WSO2 Identity Server as a trusted identity provider. 
  • Products: WSO2 Identity Server 5.0.0+