Configure user provisioning with Google Cloud

You can now find user provisioning in the same place you manage your identity provider. To find it, go to Security > Identity providers. Learn more about identity providers

User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning when Google Cloud is your identity provider. For the operations that user provisioning supports, see Understand user provisioning.

After you configure user provisioning, you can manage user attributes and group memberships from your identity provider.

Provisioning is available for all Atlassian accounts, which means that you can create, update, and deactivate accounts from your identity provider. Syncing groups is only currently available for Jira products and Confluence and not yet available for Bitbucket and Trello.

Before you begin

Here’s what you must do before you can provision external users to your sites and products:

Subscribe to Atlassian Access from your organization. See Security with Atlassian Access

Make sure you're an admin for an Atlassian organization. Learn about Organization administration

Verify one or more of your domains in your organization. Learn about Domain verification

Add an identity provider directory to your organization. Learn how to Add an identity provider

Link verified domains to your identity provider directory. Learn how to link domains

Make sure you're an admin for at least one Jira or Confluence site to grant synced users access to.

Set up test accounts

To get started, we recommend trying the setup instructions with test accounts and test groups in Google Cloud, (for example, atlassian-test-jira-users and atlassian-test-confluence-users).

Starting with test accounts can help to avoid disruption when someone unintentionally unassigns users from an Atlassian app. When you unassign users from the product, you disable their accounts, which also removes their access to Atlassian products.

Connect Google Cloud with SCIM provisioning

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Identity providers.

  3. Select Identity provider Directory for Google Cloud.

  4. Select Set up user provisioning.

  5. Copy the values for SCIM base URL and API key.

  6. Save your SCIM configuration.

Make sure you store the SCIM base URL and API key values, as we won't show them to you again.

Make sure you have a site in your organization

Users are synced to sites and products in your organization. When you provision users to an organization, you need to grant them access to products. You can do this after you add a site for a product.

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products > Product.

  3. Select Add product.

  4. Select a product you’d like to add.

  5. Enter the Site name (for example, example.atlassian.net)

Enable SCIM API Integration in Google Cloud Admin

As part of this step, you need the SCIM base URL and API key you copied.

  1. Log in to Google Cloud Admin and add the Atlassian Cloud application under SAML apps.

Screenshot of Enable SSO for SAML Application page

Currently, Google Cloud’s user provisioning setup requires that you finish SAML setup first; refer to Google Cloud’s documentation.

2. Select Set Up User Provisioning.

Screenshot of set up user provisioning page

3. Enter the API key you created in your Atlassian organization, followed by the SCIM base URL.

Screenshot of Authorize screen, asking to enter the access token from your Atlassian account
Screenshot of Provide Atlassian Cloud endpoint URL

4. Configure any attribute mapping you need. Google’s defaults are designed to work with the Atlassian app out of the box, but you can make any additional changes for your organization’s needs here.

5. Select the groups from Google with users that you want to sync.

6. Select activate.

Screenshot of Activate provisioning

 

Verify emails for SCIM and SAML in Google Cloud Admin

User provisioning uses an email address to identity a user in the Atlassian app and then create a new Atlassian account or link to an existing Atlassian account. As a result, if the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in the Google Cloud app, the user could end up with duplicate Atlassian accounts.

To avoid duplicate accounts, make sure the email address attribute that maps user account is the same for SAML SSO and SCIM user provisioning:

  1. From the Atlassian app in under the SAML applications tab in Google Cloud Admin, note the field that maps to the Primary email attribute. The default is email, as shown in the screenshots.

Screenshot of Attribute mapping where you can map service provider attributes to available user profile fields
Screenshot of Service Provider Details

Set up product access for provisioned users

To grant product access to any newly provisioned users, you need to set up product access for existing groups.

  1. From the site (example.atlassian.net) you added, go to Product access and find the product you’d like to add the group to.

  2. Select Add group and select or enter the name of the automatically-generated group containing all SCIM-synced users.

  3. Select Add groups to give the group product access.

    Learn more about updating product access settings

Additional Help