Configure Atlassian Guard SAML Single Sign-on and User Provisioning for Customer Accounts in Jira Service Management
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
Atlassian Guard provides the Single Sign-on (SSO) feature, which empowers the SAML protocol, and the user provisioning feature, which uses the SCIM protocol.
An email address is one of the primary identifiers of Atlassian Cloud accounts, and mapping inconsistent values can result in creating duplicate accounts and login problems. If you are using both SAML SSO and the user provisioning (SCIM) features, make sure you map the same IDP attribute to the following SAML and SCIM attributes respectively.
Attribute name | |
|---|---|
SAML SSO | NamelD |
SCIM | emails[type eq "work"].value |
![Diagram showing that the "emails[type eq "work"].value" mapping and NameID claim needs to be mapped to the same user attribute in the IDP](https://images.ctfassets.net/zsv3d0ugroxu/1v4fOC8rrlT29O7lx1dxVZ/ffc4ea5a146e4e882637f504399fe8c3/SAML_and_SCIM_-_For_customer.png)
Good
Attribute name | Account attribute | |
|---|---|---|
SAML SSO | NamelD | user.email |
SCIM | emails[type eq "work"].value | user.email |
Bad
Attribute name | Account attribute | |
|---|---|---|
SAML SSO | NamelD | user.email |
SCIM | emails[type eq "work"].value | UPN |
Solution
In case you need to make changes to SAML or SCIM behavior and if the change requires updating the mappings, involve your IDP admin and make sure both SAML - NameID and SCIM - emails[type eq "work"].value point to the same user attribute in email format.
Was this helpful?