What Happens to Our Users When we Migrate from Atlassian Crowd to a Different IDP

Summary

In some situations there is a need to migrate users from Atlassian Crowd to another IDP and in these situations we want to make sure you know what to expect for a smooth transition.

Diagnosis

• You have been using Crowd to manage your users but because of some change, you are switching to another provider such as Okta, Azure, Shibboleth, etc.

• These users exist in Jira in an external directory

• The new IDP is being added as an Authentication Method Only

Scenarios

Assuming that you are using the SSO for Atlassian Data Center app and that "Just in Time" (JIT) Provisining is enabled:

Scenario: User exists in the external user directory and both the SAML authentication method and external user directory are active.

• When the same user logs into Jira via SSO, we can tie them back to the SAME account. This then allows them to access Jira as the user from the external user directory without any data, group, or permission loss. Its a clean cut-over with no additional data added.

Scenario: After Inactivating the External User Directory and leaving the SAML auth method enabled

• The user is able to login to Jira and with the saml.username == ldap.username Jira creates a duplicate record in Jira's internal directory. The user, however, does not lose access to historic data. The IDP is responsible for managing groups, permissions, etc. so all that must be included in the SAML assertion

Scenario: What about if the username from the IDP is different?

• If the nameId (mapped value) in the saml assertion does not match a record in the cwd_user table, regardless of the directory, then a new user is generated and treated as a new user. This means that they'll start as a new user in your Jira environment and will lose access to historic data.