Make changes in your identity provider to users and groups and sync them to your Atlassian organization.
You can now find user provisioning in the same place you manage your identity provider. Learn more about identity providers
User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning for your identity provider. Learn more about operations that user provisioning supports
After you configure user provisioning, you manage all user attributes and group memberships from your identity provider.
Provisioning is available for all Atlassian accounts, which means that you can create, update, and deactivate accounts from your identity provider. Syncing groups is only available for Jira products and Confluence and not yet available for Bitbucket and Trello.
Before you begin
Here’s what you must do before you can provision external users to your sites and products:
Subscribe to Atlassian Access from your organization. Learn about Atlassian Access security policies and features
Make sure you're an admin for an Atlassian organization. Learn about Organization administration
Verify one or more of your domains in your organization. Learn about Domain verification
Add an identity provider directory to your organization. Learn how to Add an identity provider
Link verified domains to your identity provider directory. Learn how to link domains
Make sure you're an admin for at least one Jira or Confluence site to grant synced users access to.
The instructions on this page only provide steps for configuring user provisioning in your Atlassian organization. Your identity provider may provide setup instructions for what to do from their side. Go to instructions for Atlassian’s supported identity providers
What is user provisioning with SCIM?
We support user provisioning using the System for Cross-domain Identity Management (SCIM), and this feature uses the SCIM 2.0 version of the protocol.
Before you set up user provisioning via SCIM, we recommend you:
Create test accounts and groups in your identity provider to prevent existing users from losing product access.
When you connect your identity provider and sync for the first time, you can use these test accounts and groups to ensure everything works.
After setup is complete, you can:
Manage user details and groups from your identity provider
Update synced groups and users to automatically access Atlassian products
Connect an identity provider with SCIM provisioning
You can use the identity provider of your choice, but some capabilities are only available with selected identity providers. Learn which identity providers we support
To connect an identity provider and set up user provisioning:
Select your Identity provider Directory.
Select Set up user provisioning.
Copy the values for SCIM base URL and API key.
Save your SCIM configuration.
Make sure you store the values in a safe place, as we won't show them to you again.
Make sure you have a site in your organization
Users are synced to sites and products in your organization. When you provision users to an organization, you need to grant them access to products. You can do this after you add a site for a product.
Select Add product.
Select a product you’d like to add.
Enter the Site name (for example, example.atlassian.net)
Configure product access for the provisioned groups and users
To grant product access to provisioned users, you need to set up product access for existing groups.
From the site (example.atlassian.net) you added, go to Product access and find the product you’d like to add the group to.
Select Add group and select or enter the name of the synchronized group.
Select Add groups to finish giving the group product access.
You'll see a success flag that confirms the group is configured for product access. Learn more about configuring product access