Set up JIT provisioning

Set up Just-in-Time (JIT) provisioning to automate user creation in Cloud Observability.

With JIT provisioning, first-time users can log into Cloud Observability with their Identity Provider (IdP) credentials. Cloud Observability automatically creates their account and assigns them a default role.

Before you begin

Only users with administration permissions can set up JIT provisioning with Cloud Observability.

The steps below assume you have a Cloud Observability Enterprise account and an IdP (for example, Microsoft Entra ID or Okta). For conceptual information about managing users and roles, visit User and role management.

Set up JIT provisioning

Follow these steps to authorize your domain with Cloud Observability:

  1. In Cloud Observability, select Settings > User management > Additional settings.

  2. Below JIT Provisioning, select Add domain.

  3. In the dialog, enter your domain’s URL and select Confirm.

Users with that domain in their email can now log into Cloud Observability. Cloud Observability automatically creates their account and assigns them the default role. You can manually change their role once they’re in the system.

Deactivate JIT provisioning

Follow the steps below to remove an authorized domain from Cloud Observability.

When you remove a domain, first-time users can’t log into Cloud Observability with their IdP credentials. Existing users associated with that domain can still log in.

  1. In Cloud Observability, select Settings > User management > Additional settings.

  2. Below JIT Provisioning, find the relevant domain and select ⋮ > Delete.

    Cloud Observability displays <domain> removed from <organization>.

Visit the links below to learn more about managing users and roles in Cloud Observability.

See also

User and role management

Roles and permissions reference

Map SAML attributes to roles

Updated Nov 7, 2024