Updates To SSO – Just-in-Time Provisioning

Departments Image


Reftab recently issued an update that effects the way users log in via Single Sign-On. 

Just-In-Time (JIT) Provisioning rules are now more strictly adhered to. 


What’s New
Every time a sub user logs into Reftab via SSO, whether their account exists or not, the Just-In-Time roles are checked to ensure that the user matches to a defined policy at all times. 


What Does This Affect?If a sub-account attempts to login and no JIT rules are found to match for the requesting user, the sub account will be disassociated and access will be removed.

Can I Prevent this From Happening?
To avoid this from happening, Reftab admins will need to set the “Role Lock” feature “On”. This will avoid the role check from occurring at each login.

What happened Previously?
If someone logged in and no matching JIT rules were found, (and the user’s accounts already existed in Reftab) they would login to whatever access role they had previously.


Why the Change?
The reason for this is to more strictly adhere to established security measures. 
For example, if a person works in a department that should have access to Reftab, then moves to another department that should not access Reftab, their account should no longer have access to Reftab automatically without a Reftab admin having to update anything on their end.

Finally, users who do not use Just-In-Time Provisioning should not see any changes. If you see any unanticipated changes, reach out and we will assist.
If you have any questions, please contact Reftab support, info@reftab.com
Thank you,