Just-in-Time (JIT) Provisioning

Updated July 11, 2025 20:21

JIT (Just-in-Time) provisioning allows new users to be automatically created in Hudu when they first log in via SSO — no manual setup required.

This guide walks through enabling JIT provisioning in Hudu.

Prerequisites

SAML SSO must already be configured between Hudu and your Identity Provider (IdP).
Admin or Super Admin access in Hudu.
Administration abilities within your IdP.

Enabling JIT Provisioning in Hudu

In Hudu, go to Admin > Security > SSO.
Scroll to the bottom and toggle Auto-Provision Users.
Set your desired:
- Default Role
- Default Group(s)

Default Role

This sets the user’s role when:

JIT provisioning is enabled for the first time.
No valid hudu_user_role attribute is provided.
A hudu_user_role claim exists but contains an unsupported value.

Default Group(s)

All provisioned users will be added to this group unless:

They are assigned a role of Admin or Super Admin.
The Default Role is set to Admin or Super Admin.

Group membership cannot be dynamically updated through JIT after creation.

Ensure SSO Assignment in Identity Provider

Users must be assigned to the Hudu SSO application inside your identity provider (IdP).
Once assigned, users will be automatically provisioned the first time they log in via SSO.

Configuring Role-Based Claims

Claim Configuration

Name: hudu_user_role (must match exactly).

Claim Conditions

For each group/role mapping, enter one of the following exact values:

Hudu Role Claim Value
Spectator spectator
Author author
Editor editor
Admin admin
Super Admin super_admin

Portal member is not an acceptable Claim Value. If you attempt to assign a user to portal_member, they will be added according to your provisioned user defaults.

(Optional) Add additional conditions for other groups and roles.
Save your claim

Notes and Gotchas

Propagation Delay: Changes to claim configuration may take ~30 seconds to take effect.
Group Conflicts: Users should belong to only one provisioned group. If a user is part of multiple provisioned groups with conflicting roles, the IdP may assign a role unpredictably.
Missing Names: If a user does not have a first and last name in the IdP, they will appear in Hudu as:
First Name: Provisioned
Last Name: User

Final Test

After setup:

Assign a test user to the SSO application.
Ensure they belong to only one provisioned group.
Try logging in via SSO.
Verify the role and group assigned in Hudu.

If login and provisioning succeed with correct role/group assignment — you're all set!

FAQ

Do you support attribute mapping with identity providers?

Answer: Yes, we support attribute mapping through SCIM. We've only tested it with Microsoft Entra ID, but other providers should work as well.

Hudu Role	Claim Value
Spectator	`spectator`
Author	`author`
Editor	`editor`
Admin	`admin`
Super Admin	`super_admin`