Configure user provisioning with an identity provider

Provisioning is available for all Atlassian accounts, which means that you can create, update, and deactivate accounts from your identity provider. Syncing groups is only currently available for Jira products and Confluence and not yet available for Bitbucket.

Viewing the right content?

From your organization at admin.atlassian.com, if the Users list and Groups list are under the Directory tab, view the improved user management content.

A diagram of an new admin.atlassian.com view that shows a new Directory tab instead of Users and Groups

 

User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning for your identity provider. For the operations that user provisioning supports, see User provisioning features for more details.

After you configure user provisioning, you manage all user attributes and group memberships from your identity provider.

Prerequisites

There are a couple of things you need to do before you can provision external users into your sites and products:

  1. Get the user provisioning functionality for your identity provider.

  2. Make sure you're an admin for an Atlassian organization. See Organization administration.

  3. Verify one or more or your domains in your organization. See Domain verification.

  4. Subscribe to Atlassian Access from your organization. See Atlassian Access security policies and features.

  5. Make sure you're an admin for at least one Jira or Confluence site that you want to grant synced users access to.

The instructions on this page only provide steps for configuring user provisioning in your Atlassian organization. Your identity provider may provide more setup instructions for what do from their side.

Create a SCIM token

  1. From your organization at admin.atlassian.com, click Directory and then User provisioning.

  2. Click Create a directory.

Admin sidebar with User provisioning selected. Sync users from your external directory header with Create a directory button.

3. Enter a name to identify the user directory, for example Okta users, then click Create.

Screenshot of Create a directory screen with a text box for the name and a Create button. The name entered is Okta users

4. Copy the values for Directory base URL and API key. You'll need those for your identity provider configuration later.

Make sure you store these values in a safe place, as we won't show them to you again.

Okta users API key screen. Includes directory base URL and API key.

5. You'll now add Jira or Confluence sites to your organization so that provisioned users can be granted access to the products. See the user provisioning page for more details about why you want to add a site to your organization.

From the User provisioning page, click Add a site, select the site you want to add (e.g. example.atlassian.net), and follow the on-screen instructions.

User provisioning page. A warning box called Set up default access, with an Add a site button

 

Configure product access for the provisioned groups and users

To grant product access to any newly provisioned users, set up product access for existing groups.

  1. From the site (example.atlassian.net) you added in the previous step, go to Product access and find the Confluence section.

  2. Click Add group and select or enter the name of the synchronized group.

Add groups to a product - with an option to select a group from a list or to enter the group name.

3. Click Add groups to finish giving the group product access.
You'll see a success flag that confirms the group is configured for product access. To learn more about configuring product access, see Update product access settings.

Confirmation that product access is updated

Do not make a synced group from your identity provider a default group. This may cause collisions when attempting to add users to the product that are not managed via SCIM.


Improved user management experience

User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning for your identity provider. For the operations that user provisioning supports, see User provisioning features for more details.

After you configure user provisioning, you manage all user attributes and group memberships from your identity provider.

Prerequisites

There are a couple of things you need to do before you can provision external users into your organization and products:

  1. Get the user provisioning functionality for your identity provider.

  2. Make sure you're an admin for an Atlassian organization. See Organization administration.

  3. Verify one or more or your domains in your organization. See Domain verification.

  4. Subscribe to Atlassian Access from your organization. See Atlassian Access security policies and features.

Create a SCIM token

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Settings > User provisioning.

Admin sidebar with User provisioning selected. Sync users from your external directory header with Create a directory button.

3. Select Create a directory.

4. Enter a name to identify the user directory, for example Okta users, then select Create.

Screenshot of Create a directory screen with a text box for the name and a Create button. The name entered is Okta users

5. Copy the values for Directory base URL and API key. You'll need those for your identity provider configuration later.

Make sure you store these values in a safe place, as we won't show them to you again.

Okta users API key screen. Includes directory base URL and API key.

Users and groups will automatically be provisioned to your organization. See the user provisioning page for more details on how your users and groups sync to your organization.

Configure product access for the provisioned groups and users

To grant product access to any newly provisioned users, select Edit product access and set up product access for existing groups. To learn more about configuring product access, see Update product access settings.

Do not make a synced group from your identity provider a default group. This may cause errors when attempting to add users to the product that are not managed via SCIM.

User provisioning section in admin.atlassian.com, on Product access tab. 2 groups are listed, with Edit product access links

Additional Help