0%

SAML Single Sign-ON Just-in-time (JIT) Provisioning

Single Sign-On Just In Time (JIT) Provisioning for SAML

What is JITP SAML Authentication?

Capitol Connect®, PACWeb®, and GOTV support Just-In-Time Provisioning (JITP) via SAML Authentication.

JITP allows users to be automatically created (provisioned) in Democracy Direct at the moment they log in via SSO—eliminating the need for pre-registration or manual user imports.

How It Works (At a Glance)

  1. User clicks login via SSO

  2. Identity Provider sends a SAML response

  3. Capitol Connect®, PACWeb®, and GOTV:

    • Authenticates the user

    • Creates the user record in Democracy Direct® on-the-fly (if they don’t exist)

  4. User is immediately logged in and can take action

When to Use JITP

JITP is ideal for:

  • Associations with dynamic or frequently changing membership

  • Organizations with strict data governance or privacy requirements

JITP SAML Authentication — Technical Implementation Guide

SAML Response Requirements

When implementing SAML for JITP, ensure the following minimum requirements are met:

✅ Required Elements

  • NameID (unique user identifier, typically email)

  • Timestamp fields (IssueInstant, NotBefore, NotOnOrAfter)

  • Valid XML Signature

⚠️ Important Notes

  • All IDs, timestamps, and certificates must be generated at runtime

  • Sample values should never be reused in production

  • The response must conform to SAML 2.0 standards

JITP Required User Attributes

To successfully provision a user in Democracy Direct, the following fields are required:

  • First Name

  • Last Name

  • Email

  • Zip Code

If any of these are missing, user provisioning will fail.

Supported Claim Types (Field Mapping)

SAML attributes must be mapped to Democracy Direct fields using the following claim types:

DDC Field

Claim Type

First Name

givenname

Last Name

surname

Email

email

Zip Code

PostalCode

Home Phone

homephone

Cell Phone

mobilephone

Street Address (1)

streetaddress

Street Address (2)*

StreetAddress2

City

locality

State

StateOrProvince

Title*

Title

Company*

Company

* DDC-specific custom claim types

Custom Claim Types (DDC-Specific)

The following fields are not part of standard SAML schemas and must be sent exactly as defined:

  • Title

  • Company

  • StreetAddress2

Example (Custom Attribute)

<saml:Attribute Name="Company">
<saml:AttributeValue xsi:type="xs:string">Acme Corp</saml:AttributeValue>
</saml:Attribute>

Standard Claim Format

Standard SAML claims should use the full schema URL:

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<saml:AttributeValue xsi:type="xs:string">John</saml:AttributeValue>
</saml:Attribute>

SAML Response Structure (Key Sections)

A valid SAML response should include:

1. Response Wrapper

  • Contains metadata like Destination, ID, and IssueInstant

2. Assertion

  • Core payload containing identity and attributes

3. Signature

  • Must be present and valid

  • Typically uses RSA-SHA256

4. Subject

  • Contains NameID (user identifier)

5. Conditions

  • Defines validity window (NotBefore, NotOnOrAfter)

6. AttributeStatement

  • Contains all user attributes (claims)

Sample Attribute Block

<saml:AtrributeStatement>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<saml:AttributeValue>John</saml:AttributeValue>
</saml:Attribute>

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<saml:AttributeValue>Doe</saml:AttributeValue>
</saml:Attribute>

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email">
<saml:AttributeValue>john.doe@example.com</saml:AttributeValue>
</saml:Attribute>

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/PostalCode">
<saml:AttributeValue>20005</saml:AttributeValue>
</saml:Attribute>

<!-- Custom Claims -->
<saml:Attribute Name="Title">
<saml:AttributeValue>Director</saml:AttributeValue>
</saml:Attribute>

</saml:AttributeStatement>

0%