Configure user provisioning with an identity provider

You can now find user provisioning in the same place you manage your identity provider. Select Security > Identity providers. Learn more about identity providers

User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning for your identity provider. Learn more about operations that user provisioning supports

After you configure user provisioning, you manage all user attributes and group memberships from your identity provider.

Who can do this?
Role: Organization admin
Plan: Atlassian Access

Provisioning is available for all Atlassian accounts, which means that you can create, update, and deactivate accounts from your identity provider. Syncing groups is only available for Jira products and Confluence and not yet available for Bitbucket and Trello. 

Before you begin

Here’s what you must do before you can provision external users to your sites and products:

Subscribe to Atlassian Access from your organization. Understand Atlassian Access

Make sure you're an admin for an Atlassian organization. 

Verify one or more of your domains in your organization. Learn about Domain verification

Add an identity provider directory to your organization. Learn how to Add an identity provider

Link verified domains to your identity provider directory. Learn how to link domains

Make sure you're an admin for at least one Jira or Confluence site to grant synced users access to.

The instructions on this page only provide steps for configuring user provisioning in your Atlassian organization. Your identity provider may provide setup instructions for what to do from their side. Go to instructions for Atlassian’s supported identity providers

What is user provisioning with SCIM?

We support user provisioning using the System for Cross-domain Identity Management (SCIM), and this feature uses the SCIM 2.0 version of the protocol.

Before you set up user provisioning via SCIM, we recommend you:

  1. Create test accounts and groups in your identity provider to prevent existing users from losing product access.

  2. When you connect your identity provider and sync for the first time, you can use these test accounts and groups to ensure everything works.

After setup is complete, you can:

  • Manage user details and groups from your identity provider

  • Update synced groups and users to automatically access Atlassian products

Connect an identity provider with SCIM provisioning

You can use the identity provider of your choice, but some capabilities are only available with selected identity providers. Learn which identity providers we support

To connect an identity provider and set up user provisioning:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Identity providers.

  3. Select your Identity provider Directory.

  4. Select Set up user provisioning.

  5. Copy the values for SCIM base URL and API key.

  6. Save your SCIM configuration.

Make sure you store the values in a safe place, as we won't show them to you again. 

Make sure you have a site in your organization

Users are synced to sites and products in your organization. When you provision users to an organization, you need to grant them access to products. You can do this after you add a site for a product.

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products.

  3. Select Add product.

  4. Select a product you’d like to add.

  5. Enter the Site name (for example, example.atlassian.net)

Configure product access for the provisioned groups and users

To grant product access to provisioned users, you need to set up product access for existing groups.

  1. From the site (example.atlassian.net) you added, go to Product access and find the product you’d like to add the group to.

  2. Select Add group and select or enter the name of the synchronized group.

  3. Select Add groups to finish giving the group product access.

You'll see a success flag that confirms the group is configured for product access. Learn more about configuring product access

Additional Help