What are the differences between ZFP and JIT provisioning?
search cancel

What are the differences between ZFP and JIT provisioning?

book

Article ID: 407982

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

Both ZFP (Zero Footprint) and JIT (Just-In-Time) provisioning persist user data from the JWT/ID token into the Identity Store. What are the differences between ZFP and JIT?

Environment

VIP Authentication Hub

Resolution

JIT is more holistic and covers more use cases compared to ZFP.

JIT is typically used when an IDP is involved and provides the following capabilities that ZFP does not:

  • Attribute mapping
  • Persisting the entire user profile
  • Creating and synchronizing user groups
  • Configuring identities as read-only (updates managed solely by the IDP)

JIT is often configured to perform user data migration from an external IDP to VIP Authentication Hub (AuthHub). Once the user data has been migrated, the IDP can be decommissioned and all authentication processes can be managed by AuthHub.

ZFP, on the other hand, must use claims defined in AuthHub since it does not support attribute mapping.

While JIT can be used to replace ZFP, ZFP cannot provide all the features offered by JIT.

Both approaches result in user entries within the T_USER table, with JIT provisioning populating additional relational tables for extended user attributes, while ZFP maintains a lighter data footprint focused on essential authentication requirements.


JIT:

The JIT process creates an "identity" footprint within Authentication Hub's internal identity store, which is subjected to further administration by the admin, or through the self-service options, for example,  to manage user profiles and group memberships. JIT identities can be configured as read-only, allowing updates solely from the Identity Provider as the authoritative source.


ZFP:

In some scenarios, it may be necessary to use ZFP instead of relying on direct communication routes to identity stores. For example, a deployment where the Authentication Hub (solution) does not have direct access to a user store or where such a user store requires an expensive process of buildout or provisioning, the ZFP approach provides the solution with a simple way to extend its services.

Key Distinctions:

JIT Users:

  • Source: Integrated with Identity Providers (IDP)
  • Data Richness: Contains comprehensive user attributes (email, phone, address, etc.)
  • Storage: Full user profile created in T_USER with extended data in related tables
  • Management: Subject to ongoing administrative control and self-service operations
  • Terminology: Referred to as "users" in Authentication Hub

ZFP Users:

  • Source: External directory services or standalone scenarios
  • Data Scope: Minimal user information, primarily authentication-focused
  • Storage: Basic entry in T_USER without extensive profile data
  • Management: Limited administrative overhead
  • Terminology: Referred to as "accounts" in Authentication Hub

 

 

Additional Information

Powered by Wolken Software