• Documentation

Configure user provisioning with Cisco Duo

Who can do this?
Role: Organization admin
Atlassian Cloud: Atlassian Guard Standard
Atlassian Government Cloud: Available

User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning when Cisco Duo is your identity provider. For the operations that user provisioning supports, see User provisioning features.

Before you begin

Before you can provision external users to your sites and apps:

Subscribe to Atlassian Guard Standard.

Verify one or more of your domains in your organization. Verify a domain

Add an identity provider directory to your organization. Add an identity provider

Link verified domains to your identity provider directory. Link domains to directory

Make sure you're an admin for at least one Jira or Confluence app so you can grant access to synced users.

For an Enterprise plan or Atlassian Government Cloud subscription, make sure that the number of users you need to provision doesn't exceed your user tier.

Set up test accounts

To get started, we recommend trying these setup instructions with test accounts and test groups in Duo. Starting with test accounts can help to avoid disruption when someone unintentionally unassigns users from the Atlassian app in Duo. When you unassign users from the Duo app, you deactivate their accounts, which also removes their access to Atlassian apps.

Connect Duo with SCIM provisioning

After you set up user provisioning, make sure you store the SCIM base URL and API key values, as we won't show them to you again.

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. Select Security, then Identity providers.

  3. Select your identity provider directory.

  4. Select Set up user provisioning.

  5. Copy the values for SCIM base URL and API key. You'll need them when you configure Duo.

  6. Select Next, then Save SCIM configuration.

Enable SCIM provisioning in Duo

As part of this step, you need the SCIM base URL and the API key you copied. More about configuring provisioning in Duo

  1. Log in to the Duo Admin Panel and select Applications.

  2. Open your existing Atlassian Cloud - Single Sign-On application.

  3. Select the Provisioning tab.

  4. From the Authentication mode dropdown, select Bearer Token.

  5. Paste the SCIM base URL into the Base URL field.

  6. Paste the API key into the Token field.

  7. Select Connect to application.

Map attributes and select groups

  1. In the Duo Admin Panel, scroll to Attribute mapping.

  2. For emails, select Email Address.

  3. For userName, select Username.

  4. Scroll to Groups and select the Duo groups you want to provision into Atlassian Cloud.

  5. Make sure the Exclude group information checkbox is not selected.

  6. Select Save and enable at the bottom of the page, to start provisioning users and groups.

If you want to view the detailed instructions, see the Duo documentation.

Set up app access for provisioned users in groups

To grant app access to provisioned users, you need to set up app access for existing groups:

  1. From the site (example.atlassian.net) you added, go to App access and find the app you’d like to add the group to.

  2. Select Add group and enter the name of the group containing your synced users.

  3. Select Add groups to give the group app access.

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageBefore you beginSet up test accountsConnect Duo with SCIM provisioningEnable SCIM provisioning in DuoMap attributes and select groupsSet up app access for provisioned users in groups
CommunityQuestions, discussions, and articles