SAML Single Sign-OnSAML Single Sign-On
Try For Free

JIT Connector: Why does the JIT update work despite a wrong SAML configuration?

Problem

Even though the SAML configuration uses an incorrect user lookup attribute, JIT user updates still work.

This behavior can be confusing and may appear inconsistent.

Explanation

To understand this, it helps to look at the two-step process used by the JIT connector.

1. Initial user lookup

In the SAML configuration, a user lookup attribute is defined (for example):

  • Attribute name: userid

  • Attribute value: testaretestson

The JIT connector first tries to find an existing user based on this attribute.

➡️ This lookup fails, because:

  • The user does not have a matching attribute value stored in the application.

2. User construction from SAML attributes

Even though the initial lookup fails, the JIT connector continues processing:

  • A user object is created using all attributes received from the IdP:

    • Username

    • Email address

    • Full name

    • Other mapped attributes

In your JIT configuration:

  • The user is associated with its username

  • Since the username is provided during login, the user now exists in the system under that identifier

➡️ At this point, User Sync can successfully find the user by username, and the update works.

Recommendation

Although this setup works, it is not recommended.

For a clean and predictable configuration:

  • Update the SAML configuration to use the correct user lookup attribute

  • Ensure that the attribute used for lookup:

    • Exists on the user

    • Matches the data provided by the IdP

This avoids confusion and ensures long-term stability and maintainability of the configuration.