With cloud user provisioning you can manage Atlassian accounts and security policies in one place. You will save time, increase security and gain greater control over your license costs.
Why cloud user provisioning?
Kantega SSO allows users to sign in using their SAML identity providers or using Kerberos tickets from their Active Directory Domain.
However, user accounts must still exist in JIRA, Confluence or Bitbucket.
With Kantega SSO and SAML you have the option to create Atlassian user accounts based on the user information sent from the identity provider. All though this approach makes sure that all users easily can log in, there are some disadvantages:
- Manual cleaning: Inactive and old users must still be deleted manually.
- Less control over user access and license costs: If users are created dynamically at login, you have less control of the set of users using the Atlassian products.
With cloud user provisioning, an auto synchronized and virtual user directory is setup. This takes responsibility of keeping the Atlassian products updated with user accounts, groups and group memberships.
How does it work?
Azure, G Suite and Okta all offer their own REST APIs giving access to information about your users and groups.
Since Atlassian do not support these APIs natively, we have created a bridge API which exposes the cloud provider APIs as Atlassian Crowd APIs.
Atlassian Crowd APIs is not used to make this work, so you do not need to have a license for the Atlassian Crowd products.
The Atlassian products communicate with Kantega SSO using the normal REST Crowd API.
Kantega SSO will take the responsibility of connecting to the cloud providers.
How do I set it up?
Kantega SSO provides customized instructions for connecting to Azure AD, Google GSuite or Okta:
Each cloud provider requires slightly different connection settings.
This requires your G Suite domain name, a JSON service key file and an admin account with API read permissions:
Once the connector is configured, we let you create a Crowd User Directory which will sync users and groups from the cloud provider.
Notice how we let you configure "Local Groups" permissions on the directory.
This allows users from Azure, G Suite or Okta to be added to local groups such as jira-software-users, confluence-users or bitbucket-users:
Once the Crowd User Directory has been synchronized, you can preview the users, groups and group memberships:
The setup wizard helps you prepare an API application in Azure portal and extract the values below.
This is the steps to follow:
1. Add the app
Go to App registrations i Azure portal
Click the "New registration" button. Give your app a name and leave "Supported account types" unchanged.
Let Redirect URI type be "Web" and copy the value given in the wizard of Kantega Single Sign-on.
Click "Register". Copy the "Application (client) ID" value into "Application Id" field in the form in Kantega Single Sign-on.
2. Generate a password
Click "Certificates & secrets" in left menu.
Then click "New client secret",
If you like add a Description, set Expires to "Never", and click "Add".
Copy VALUE of new secret and paste into the "Password" field in the form in Kantega Single Sign-on.
3. Configure permissions
- Select "API permissions" in left menu
- Click "Add a permission".
Click the upper banner "Microsoft Graph".
Then select "Application permissions",
expand the Directory item and tick off Directory.Read.All,
expand the Group item (you may need to scroll) and tick off Group.Read.All
and expand the User item and tick off User.Read.All.
4. Insert Azure Tenant Name
Find "Azure Tenant Name" by searching the top of Azure portal for "tenant status". The "Tentant Status" page will give you the "Tenant Name".
Insert this value into the "Azure Tenant Name" field in the wizard form in Kantega Single Sign-on.
You are always welcome to reach out to our support team if you have any questions or would like a demo.