With cloud user provisioning you can manage Atlassian accounts and security policies in one place. You will save time, increase security and gain greater control over your license costs.
Why cloud user provisioning?
Kantega SSO allows users to sign in using their SAML identity providers or using Kerberos tickets from their Active Directory Domain.
However, user accounts must still exist in JIRA, Confluence or Bitbucket.
With Kantega SSO and SAML you have the option to create Atlassian user accounts based on the user information sent from the identity provider. All though this approach makes sure that all users easily can log in, there are some disadvantages:
- Manual cleaning: Inactive and old users must still be deleted manually.
- Less control over user access and license costs: If users are created dynamically at login, you have less control of the set of users using the Atlassian products.
With cloud user provisioning, an auto synchronized and virtual user directory is setup. This takes responsibility of keeping the Atlassian products updated with user accounts, groups and group memberships.
How does it work?
Azure, G Suite and Okta all offer their own REST APIs giving access to information about your users and groups.
Since Atlassian do not support these APIs natively, we have created a bridge API which exposes the cloud provider APIs as Atlassian Crowd APIs.
Atlassian Crowd APIs is not used to make this work, so you do not need to have a license for the Atlassian Crowd products.
The Atlassian products communicate with Kantega SSO using the normal REST Crowd API.
Kantega SSO will take the responsibility of connecting to the cloud providers.
How do I set it up?
Kantega SSO provides customized instructions for connecting to Azure AD, Google GSuite or Okta:
Each cloud provider requires slightly different connection settings.
Here is an example showing how to connect to Google G Suite.
This requires your G Suite domain name, a JSON service key file and an admin account with API read permissions:
Once the connector is configured, we let you create a Crowd User Directory which will sync users and groups from the cloud provider.
Notice how we let you configure "Local Groups" permissions on the directory.
This allows users from Azure, G Suite or Okta to be added to local groups such as jira-software-users, confluence-users or bitbucket-users:
Once the Crowd User Directory has been synchronized, you can preview the users, groups and group memberships:
Filtering was introduced in version 3.4.18 of Kantega SSO. This allows you to limit the set of users and groups being extracted from the cloud repository. For Okta and Google Gsuite, you can filter users based on their group memberships. For Azure AD, you can filter both by group memberships and user type. The screenshot below shows how these filters are set up.
Filtering is useful when you have a large organization where only a subset should get access to the specific Atlassian products.
You are always welcome to reach out to our support team if you have any questions or would like a demo.