Once SAML SSO is already configured, enabling Just-in-Time provisioning in Salesforce is done on the SAML Single Sign-On setting itself. The architect turns on JIT user provisioning, selects the provisioning type, and supplies the SAML JIT handler if custom logic is needed. That is the expected configuration path because JIT is part of the federation handshake, not a sharing model or permission-set feature. Creating a random Apex class without wiring it into the SAML setting would not enable JIT on its own. The architectural distinction is that JIT rides inside the SAML login process. Therefore it must be enabled and configured where Salesforce processes the incoming assertion. This is why option A is the best answer in Salesforce terms.