You are viewing the Kantega SSO legacy documentation. The new documentation site is:
Skip to end of metadata
Go to start of metadata

There are two different ways of handling groups during SAML login, -Managed groups and Default groups.

Managed Groups

Setting up Managed groups, see screenshot below) will only add a group to a user during login if this user has the same group in his SAML response. 


Atlassian applications perform authorization by looking at the user's group memberships. Group Memberships are usually delegated to external User Directories such as Microsoft Active Directory.

However, this might not work for all use cases:

  • User accounts might live in a directory which is not supported by Atlassian's Embedded Crowd     
  • The application might be hosted in an environment which lacks network access to the directory 

In these cases, its useful to allow Kantega SSO to manage group memberships based on Group Claims included in the SAML response sent by the Identity Provider. We call this feature "Managed groups".

When a group is configured as managed in Kantega SSO, the following will happen when a user is logged in:

  • Does the SAML response include a group claim for the managed group? If so, make sure the user is added as a member.
  • No group claim found for the managed group? Make sure the user is removed from the group.

Only groups which are explicitly configured as managed by Kantega SSO will be affected by this feature. All other groups will be ignored, so you will still be able to manage some groups locally if you wish.

Configuring the identity provider

The first step is configuring the IDP to include group claims in SAML Responses when users log in. This is typically done in the IDP's administration console and depends on the IDP. We have included guides for some frequently requested IDPs below. If you can't find your IDP in the list, let us know and we'll investigate. You may also consult your IDP's documentation directly.


See: Managed groups: AD FS

Azure AD

See: Managed groups: Azure AD


See: Managed groups: Okta


See: Managed groups: Keycloak

Other identity providers

Please contact our support team, we'll be happy to help you set up your identity provider with group claims.

Test that the IDP is sending group claims

Once the identity provider is configured, run a SAML authentication test to verify that the identity provider actually sends the expected group claims. If group claims are detected, the test page will notify you of this and provide options for further configuration.

The example test result below shows that the user is a member of the jira-software-users group:

In the test results page, the following change to the managed group during login may appear:

Also "No change" and "Will be removed" are valid messages for changes for Managed groups.

Default groups

Setting up groups in Default groups will give the selected groups to all users logging in via SAML. So in the example below, all users will be given the group Users during login. The group Users is only an example.

  • No labels