Understand customer provisioning for Jira Service Management
You can connect one identity provider and configure single sign-on and/or provisioning for your customers (Jira Service Management) when you subscribe to Atlassian Guard Standard.
The ability to provision Jira Service Management customers is available for people in an early access program (EAP). This feature will be available to everyone soon.
We support provisioning using the System for Cross-domain Identity Management (SCIM), and this feature uses the SCIM 2.0 version of the protocol.
Customer provisioning integrates an external user directory with your Jira Service Management site. This integration allows you to automatically update the customers and customer organizations in Jira Service Management when you make updates in your identity provider. For example, with customer provisioning, you can create, link, and deactivate customer accounts from your identity provider.
Who can do this? |
Supported identity providers
You can use the identity provider of your choice, but some capabilities are only available with selected identity providers. Which identity providers we support
Your SCIM setup depends on the identity provider. The Atlassian support team can provide setup instructions for supported identity providers.
Before you configure customer provisioning, you’ll need to add your identity provider to your Jira Service Management site. How to connect an identity provider
How customer provisioning works
After you configure an identity provider for your Jira Service Management site through SCIM provisioning, users and groups sync to your Jira Service Management site as customers and customer organizations, making them available for granting help center access and associated portal access. More about customers and customer organizations
Customers are people who submit help requests to Jira Service Management through support channels, including your help centers, portals, emails and widgets. We don’t count Jira Service Management customers toward your subscription.
The following diagram illustrates how sync work after you set up provisioning for Jira Service Management on your site.
Allowed number of groups and users
A large number of groups and users can take a while to sync to Jira Service Management. These are the limits for how many groups you can sync.
You can only sync up to:
150,000 users per group
20,000 groups per identity provider directory
Users and groups sync from your identity provider to Jira Service Management
When you set up SCIM provisioning for Jira Service Management, you can create customers and groups directly in your Identity provider. Users and groups in your identity provider will sync to Jira Service Management as customers and organizations, as shown in the diagram.
If your Jira Service Management site already has existing customers:
And the identity provider has a user with the same email address as a customer on your site, we will establish a connection between both accounts. Subsequently, any modifications to the account must be made from your identity provider.
And the identity provider doesn't have a user with the same email address as a customer on your site, the user's access remains unchanged, and you can continue to manage that customer from your site.
Syncing more than 500 groups will take a significant amount of time. Be prepared to wait a while for the sync to complete.
Customer organizations associated with Jira Service Management projects
Customer organizations can be assigned to a single service project or multiple ones. This association makes the members of the customer organization available for the respective service projects, as illustrated in the diagram.
SCIM provisioning features
Once you connect your identity provider to Jira Service Management, you should manage user attributes and group memberships from your identity provider. However, if you want to manage customers and customer organizations from Jira Service Management, you must disable the connection with your identity provider.
Manage group names
You can change the group's name in your identity provider. The updated group name will be synchronized with the associated customer organization in Jira Service Management.
Manage group name conflicts
When syncing groups, conflicts may occur if customer organizations on your site use the same name as groups in your identity provider. You can choose how to sync groups to manage group conflicts during SCIM configuration, or update the setting later. How to manage group conflicts when syncing customer organizations
Supported account operations
When you perform these user management operations from your identity provider, your updates will sync with Jira Service Management.
Operations in IdP | Notes |
|---|---|
Create a new user account | A customer account gets created in Jira Service Management. |
Link an existing user account | If an account already exists in Jira Service Management, we'll automatically link the user in your identity provider to the customer in Jira Service Management. |
Update a user's account details | You can update these user attributes from your identity provider:
If an account status is not set by the identity provider while calling SCIM API, it will default to If a user’s locale is not supported by Atlassian, it will be mapped to our supported locales. Read more about our supported languages Updating the email address of a synced user is not allowed. |
Activate a user account | You can activate a customer account from your identity provider. |
Deactivate a user account | You can deactivate a customer account from your identity provider. When you deactivate a user:
Customer organization memberships remain unchanged in Jira Service Management and will be reinstated if the user is reactivated from your identity provider. To ensure memberships are removed, remove the user from all groups in your identity provider before deactivating it. |
Delete a user account | The user is deleted from your site and removed from any customer organizations the user is a member of. |
Supported group operations
Use groups to manage the grouping of customers from your identity provider. These updates will sync with customer organizations in your Jira Service Management site. You can manage groups synced from your identity provider directory via SCIM.
Operations in IdP | Notes |
|---|---|
Create a group | The group gets created as a read-only customer organization in Jira Service Management. You can only edit groups from your identity provider. Give the new group a name that doesn't already exist as a customer organization in Jira Service Management. |
Rename a group | The updated group name will be synced with the associated customer organization in Jira Service Management. |
Delete a group | Delete a group from your identity provider to remove the customer organization from your Jira Service Management site. |
Push an existing group | When attempting to push a group from your identity provider that uses the same name as a customer organization in Jira Service Management, the outcome will depend on your group conflict settings:
|
Update group membership | You can update groups from your identity provider to change the customer organization’s access permission to your Jira Service Management projects. |
Was this helpful?