User Provisioning and SAML Single Sign-On for Jira Service Management Customers

Summary

Streamline user management in your Atlassian Cloud Organization with user provisioning and Atlassian Guard.

Solution

Customer accounts in Jira Service Management

Customer accounts for Jira Service Management are unlicensed users who can submit requests to your teams. They are provided free and are non-billable even when provisioned through Atlassian Guard. There are two types of Customer accounts in Jira Service Management: internal and external user accounts.

Types of Customer Accounts

Customer account types typically align with an organization's direct employees (internal accounts) created as Atlassian accounts or users outside an organization's managed domains (external accounts) created as portal-only accounts.

• Atlassian accounts are recommended for internal employees and offer many advantages, including additional account sign-on options (for example, Google, Microsoft, Slack, etc.), which are used with authentication policies and can be granted additional product access.

  • Atlassian accounts can access your help center through your cloud site URL (that is, https://site-name.atlassian.net/) or a portal-specific URL (i.e., https://site-name.atlassian.net/servicedesk/customer/portal/3) and submit requests to a dedicated service project email channel.

• Portal-only accounts are most commonly used for external users outside your company to request support. They can only be granted access to a service project through the portal's specific URL (i.e., https://site-name.atlassian.net/servicedesk/customer/portal/3) or email channel.

  • Portal-only accounts can't be used with authentication policies to enforce SAML single sign-on (SSO), as these are designed for Atlassian accounts. However, you now have the option to use an additional Configure SAML single sign-on for portal-only customers.

Learn more about the different account types that customers can have.

What type of account is best for my users?

Whether your team manages internal or external users or needs a hybrid approach based on the user's domain, you can choose user provisioning or self-sign-up options that work best for your user onboarding experience.

To decide what type of account is best for users, please take some time to review the best practices article Choosing the right approach to Customer Management in Jira Service Management.

The Jira Service Management Customer role

A dedicated product access role for JSM Customers was introduced to provide more granular control over which end-users you grant customer access to individual sites. A provisioned user without product access is no longer automatically considered a JSM customer.

• You can grant this role during SCIM user provisioning by synchronizing a user group from your external directory (IdP - Identity Provider) or granted when users access the portal using SAML Just-in-Time (JIT) provisioning through configured authentication policies, which will create an Atlassian account at login.

• When using self-sign-up flows, an organization's user access settings allow for managing the type of account created based on the user's email domain.

  • Jira Service Management's product-level customer access settings and organization-level approved domain settings determine the type of account created for the specified domain's users when accessing support portals.

Learn more about changing your customers' access settings for Jira Service Management and controlling how users get access to products based on your organization's user access settings.

SCIM user provisioning for Jira Service Management Customers

Atlassian accounts

User provisioning with SCIM allows you to create, link, and deactivate Atlassian accounts from your integrated external directory (IdP - Identity Provider). To provide the Jira Service Management Customer role at the time of user provisioning, a user group can be created and synchronized from the external directory with the Customer role granted in the organization's product access settings. The role can be given from product management or user group management panels in the cloud organization's Admin Hub (admin.atlassian.com) based on the instance's current user management experience.

This configuration grants users immediate access upon provisioning to log into a portal or submit issues using the email channel to any open support portal on your help center. For restricted service projects, you can add the group to the Project settings > People panel with the Service Desk Customer role to provide portal access upon account creation. There are limits on the total number of users, groups, and user group sizes you can provision using Atlassian Guard, which can impact this configuration option.

Documentation:

• JSDCLOUD-12954 - Provisioned accounts should have Customer access by default

• Understand user provisioning

Portal-only accounts

SCIM support for JSM portal accounts is expected to be shipped during Q2 2025. For more information, see our Cloud Roadmap.

SAML Just-in-Time user provisioning for Jira Service Management Customers

SAML can also be used to provision users to your Atlassian cloud platform and from your external directory (IdP) when they authenticate using SSO leveraging SAML Just-in-Time provisioning (JIT). Provisioning users using SAML will allow them to create Atlassian accounts when they sign into a customer portal for the first time.

Learn more about controlling how users get access to products per user access settings and Jira Service Management – Internal customers: Just-in-time community article that outlines this feature.

Allow sign-up to Jira Service Management customer portals

Jira Service Management customer access settings control whether self-sign-up for the portal is allowed for either internal or external customer accounts. When configuring SAML Just-in-Time provisioning, which provides Atlassian account provisioning to your cloud organization, the current organization-level user access settings will need to be enabled to support customer account creation for internal accounts with approved domains.

Learn more about changing your organization's customer access settings and approved domain settings.

Jira Service Management portal-only customer SAML integration

Atlassian administrators can now enforce SAML SSO for portal-only (external) customers to enhance the overall security posture of their environment. An additional IdP integration will be necessary to configure SSO with your site's Jira Service Management product and requires you to set up SAML outside of any pre-configured Atlassian Cloud applications, which are designed for use with Atlassian accounts. This integration also allows Just-in-Time provisioning capabilities to create portal-only accounts for accessing Jira Service Management within your connected external directory.

To access the setup and configuration of SSO authentication for portal-only customers, you can navigate to Jira Settings > Products > Jira Service Management > Authentication or from your Atlassian organization administration hub (admin.atlassian.com).