User provisioning

Our user provisioning features simplify management of users and their access permissions to Atlassian. This article describes pros and cons of Just-in-time provisioning and Synchronized cloud directories.
09/09/2019 - JIT provisioning, Synchronized cloud directories

Just-in-time (JIT) provisioning

JIT provisioning allow users to be created, updated and activated in user directories when on-the-fly and when they log in through SAML SSO to the Atlassian applications. User data is provided from the identity providers through name and email attributes in the SAML response messages. These attributes are defined through attribute mappings at the identity provider settings.

alt text

JIT can be used in combination with most writable user directories, including internal user directories, delegated LDAP, and Atlassian Crowd.

JIT provisioning can very well be combined with SAML group claims. This feature will authorize Atlassian users according to permissions defined at the identity providers. You can read more about this feature here: https://docs.kantega.no/x/D4OLB

Synchronized cloud directories

Synchronized cloud directories is an alternative solution where a continuous background process keeps a read-only user directory in the Atlassian application updated with users, groups and group memberships. This feature is currently available for Azure, GSuite and Okta.

alt text

The execution interval for the synchronization job can be configured and by default it is scheduled to run every hour.

You can also configure filters to limit the set users being be exported to Atlassian. The screenshot below shows an example of how Group filters can be defined to only synchronize members of particular groups. alt text

Pros and Cons of the two alternatives

The main advantage of JIT provisioning is its flexibility. It also scales very well as user data is only sent when needed. However, the main disadvantage is that JIT will never remove or deactivate users, and the janitor work of removing old users is a manual job.

Synchronized cloud directories, on the other hand, is fully capable of creating, updating and also removing users that should no longer have access to the Atlassian applications. The amount of manual work is minimized and can be done one place; - in the cloud. The disadvantage of this approach is that the whole user directory is read each time the synchronization job is run. This sets a limit on the ability to scale to organizations with several thousands users.

Please contact our Our support team if you want a demo of these features or have any questions.

You might also like

Multi-factor authentication

Multi-Factor Authentication (MFA) verifies a user’s identity by requiring multiple credentials. In addition to username and password, MFA requires additional credentials, such as a code from the user’s smartphone, or a fingerprint.
23/10/2019 - sso, saml, mfa

2 Step Login

Redirect to specific SAML identity providers based on email domain, user directory or group memberships.
10/09/2019 - sso, saml

Login to Atlassian without passwords

Nobody likes passwords. They are inconvenient, expensive and noisy friction in our workday. With Kerberos you can remove this friction and automatically authenticate users accessing Atlassian applications.
16/08/2019 - sso, kerberos