Just-In-Time Provisioning

Just-In-Time provisioning involves application account creation on the fly by utilizing SAML assertions. Besides waiving off manual account creations for every user, the user accounts can be created by the first time users itself dynamically. The logins are enabled to the applications through Platform's SSO portal.

Just-In-Time WorkFlow

Just-In-Time Provisioning can be enabled in the following SAML based SSO flows:

Tenant: While configuring SAML/ADFS Authentication for a tenant, Just-In-Time can be enabled for the tenant.
Portal Users: Portal users can map their SAML Authentication profiles. Only if Just-In-Time is enabled on that profile, it can be used to create new users. See Setting up SSO for Portal Users for more information.
Global Authentication: Provisioning Just-In-time on an instance level can be achieved by configuring the same in the Control Panel or Configuring SAML/ADFS Authentication for all tenants.

Note:

Ensure to enable Just-In-Time and Validate User Fields on creation options in the corresponding SAML configurations before provisioning Just-In-Time to any of the above flows.
While exporting of an application along with the Authentication profile, make sure the mapped values are correct on the imported tenant. The RoleId usually changes when the tenant is changed, so the incoming user details has a different RoleId, thus failing the flow with the following error:
Cannot create user as role's authentication profile do not match this