Configure user provisioning with Google Cloud

Provisioning is available for all Atlassian accounts, which means that you can create, update, and deactivate accounts from your identity provider. Syncing groups is only currently available for Jira products and Confluence and not yet available for Bitbucket.

User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning when Google Cloud is your identity provider. For the operations that user provisioning supports, see Understand user provisioning.

After you configure user provisioning, you can manage user attributes and group memberships from your identity provider.

To get started, we recommend trying these setup instructions with test accounts and test groups in Google Cloud, e.g. atlassian-test-jira-users and atlassian-test-confluence-users.

Starting with test accounts can help to avoid disruption when someone unintentionally unassigns users from the Atlassian app. When you unassign users from the app, you disable their accounts, which also removes their access to Atlassian products.

Prerequisites

There are a couple of things you need to do before you can provision external users into your sites and products:

  1. Get the user provisioning functionality for your Google account. See Google Cloud Identity Help.

  2. Make sure you're an admin for the Atlassian organization. See Organization administration.

  3. Verify one or more or your domains in your organization. See Domain verification.

  4. Subscribe to Atlassian Access from your organization. See Security with Atlassian Access.

  5. You should be an admin for at least one Jira or Confluence site that you want to grant synced users access to.

Step 1. Create a SCIM Directory

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Settings > User provisioning.

  3. Select Create a directory

A screenshot of Sync users from your external directory with a Create a directory button

4. Enter a name to identify the user directory, for example Google Cloud users, then click Create.

Screenshot of Create a directory screen with a text box for the name and a Create button

5. Copy the values for Directory base URL and API key. You'll need those for when you configure the Google Cloud application later.

Make sure you store these values in a safe place, as we won't show them to you again.

6. Now add Jira or Confluence sites to your organization. You need to do this so that provisioned users can be granted access to the products.
On the 'User provisioning' page, click Add a site, select the site you want to add (e.g. example.atlassian.net), and follow the on-screen instructions.

Screenshot of User provisioning page on the Product access tab, with Add a site button

Step 2. Enable SCIM API Integration in Google Cloud Admin

For this step you'll need the directory base URL and bearer token from Step 1. Create a SCIM token above.

  1. Log in to Google Cloud Admin and add the Atlassian Cloud application under SAML apps.

Screenshot of Enable SSO for SAML Application page

2. Currently, Google Cloud’s user provisioning setup requires that you finish SAML setup first; refer to Google Cloud’s documentation.

3. Click Set Up User Provisioning.

Screenshot of set up user provisioning page

4. Enter the API key you created in your Atlassian organization, followed by the Directory base URL.

Screenshot of Authorize screen, asking to enter the access token from your Atlassian account
Screenshot of Provide Atlassian Cloud endpoint URL

5. Configure any attribute mapping you need. Google’s defaults are designed to work with the Atlassian app out of the box, but you can make any additional changes for your organization’s needs here.

6. Select the groups from Google with users that you want to sync. Because Google doesn’t currently support the Groups entity in the SCIM specification, users will sync to the All members for directory - <directory_id> group in your Atlassian organization.

7. Click activate.

Screenshot of Activate provisioning

 

Step 3. Verify emails are the same for SCIM and SAML in Google Cloud Admin

User provisioning uses an email address to identity a user in the Atlassian app and then create a new Atlassian account or link to an existing Atlassian account. As a result, if the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in the Google Cloud app, the user could end up with duplicate Atlassian accounts.

To avoid duplicate accounts, make sure the email address attribute that maps user account is the same for SAML SSO and SCIM user provisioning:

  1. From the Atlassian app in under the SAML applications tab in Google Cloud Admin, note the field that maps to the Primary email attribute. The default is email, as shown in the screenshots.

Screenshot of Attribute mapping where you can map service provider attributes to available user profile fields
Screenshot of Service Provider Details

Step 4: Set up product access for provisioned users

To grant product access to any new provisioned users, set up product access for existing groups.

  1. From the site (example.atlassian.net) you added in the previous step, go to Product access and find the Jira Service Management section.

  2. Click Add group and select or enter the name of the automatically-generated group containing all SCIM-synced users.

Screenshot of Add groups to a product

3. Click Add groups to finish giving the group product access.
You'll see a success flag that confirms the group is configured for product access. To learn more about configuring product access, see Update product access settings.

Confirmation that the Product access has been updated

Do not make the group of all SCIM-synced users a default group. This may cause collisions when attempting to add users to the product that are not managed via SCIM.

Additional Help