Configure user provisioning with Okta

User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning when Okta is your identity provider. For the operations that user provisioning supports, see User provisioning features for more details.

After you configure user provisioning, you can manage user attributes and group memberships from your identity provider.

Before you begin

Here’s what you must do before you can provision external users to your sites and products:

Subscribe to Atlassian Guard Standard from your organization. Understand Atlassian Guard

Get the user provisioning functionality for your Okta account. See Lifecycle Management for more details.

Make sure you're an admin for an Atlassian organization.

Verify one or more of your domains in your organization. Learn about Domain verification

Add an identity provider directory to your organization. Learn how to add an identity provider

Link verified domains to your identity provider directory. Learn how to link domains

Make sure you're an admin for at least one Jira or Confluence site to grant synced users access to.

Set up test accounts

To get started, we recommend trying these setup instructions with test accounts and test groups in Okta, e.g. atlassian-test-jira-users and atlassian-test-confluence-users.

Starting with test accounts can help to avoid disruption when someone unintentionally unassigns users from the Atlassian app. When you unassign users from the app, you disable their accounts, which also removes their access to Atlassian products.

Connect Okta with SCIM provisioning

1. Go to admin.atlassian.com. Select your organization if you have more than one.

2. Select Security > Identity providers.

3. Select your Identity provider directory.

4. Select Set up user provisioning.

5. Copy the values for SCIM base URL and API key. You'll need them when you configure Okta. 

6. Save your SCIM configuration.

We automatically provision users and groups to Jira and Confluence sites in your organization. See the user provisioning page for more details on how your users and groups sync to your organization.

Enable SCIM API integration in Okta

As part of this step, you need the SCIM base URL and the API key you copied.

1. Log in to Okta and add the Atlassian Cloud application.

2. From the application, click on the Provisioning tab and then click Configure API integration.

3. Select Enable API integration.

4.Enter the SCIM base URL and API key you created in your Atlassian organization.

5. Select Test API Credentials. If the test passes, select Save.

6. Select the To App under Settings.

7. Select Edit and select Enable for the options you'd like to have.

8. Select Save to apply the integration settings.

Verify the email address in Okta

User provisioning uses an email address to identity a user in the Atlassian app and then create a new Atlassian account or link to an existing Atlassian account. As a result, if the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in the Okta app, the user could end up with duplicate Atlassian accounts.

To avoid duplicate accounts, make sure the email address attribute that maps user account is the same for SAML SSO and SCIM user provisioning:

1. From the User provisioning tab in Okta, note the field that maps to the Primary email attribute. The default is email, as shown in the screenshot.

2. Select the Sign on tab. From the Credentials details section, look for the Application username format setting. Okta passes this field from a user's account as the SSO email address when creating or linking an Atlassian account.

3. Make sure Application username format is set to the same attribute specified as Primary email in the previous step.

4. Make sure that Update application username on is set to Create and update. Select Save to apply your changes.

5. Select Update Now to push the change faster than the Okta automatic update.

Push groups to the organization

We recommend using the group synchronization feature to automatically manage user privileges and licenses using your directory, instead of manually managing these from the organization. This section describes how to configure group-based management.

1. In Okta, click on the Push Groups tab and then By name. Select the group name (e.g. atlassian-test-jira-users or atlassian-test-confluence-users) and click Save.

In the screenshot above, we use the atlassian-confluence-users group to manage product access to Confluence.

2. Review to make sure all desired groups have been pushed.

Assign users to the Atlassian application in Okta

1. In Okta, click the Assignments tab of the Atlassian application:
   
   

2. Select Assign, then Groups. Select the group you'd like to assign. In our example, the group is atlassian-confluence-users.

3. You'll see this dialog to set default values. These default values will be used only if the user profile does not have them set. All of these fields are optional and can be left blank. When you are done with this step, click Save and Go Back.

4. From your Atlassian organization, verify that users are synced. You can check either the Okta logs or your Identity provider page:

Configure product access for the provisioned groups and users

To grant product access to provisioned users, you need to set up product access for existing groups.

1. From the site (example.atlassian.net) you added, go to Product access and find the product you’d like to add the group to.

2. Select Add group and select or enter the name of the automatically-generated group containing all SCIM-synced users.

1. Select Add groups to give the group product access.
    Learn more about updating product access.