There are two different ways of handling groups during SAML login, -Managed groups and Default groups.
Setting up Managed groups, see screenshot below) will only add a group to a user during login if this user has the same group in his SAML response.
Atlassian applications perform authorization by looking at the user's group memberships. Group Memberships are usually delegated to external User Directories such as Microsoft Active Directory.
Only groups which are explicitly configured as managed by Kantega SSO will be affected by this feature. All other groups will be ignored, so you will still be able to manage some groups locally if you wish.
The first step is configuring the IDP to include group claims in SAML Responses when users log in. This is typically done in the IDP's administration console and depends on the IDP. We have included guides for some frequently requested IDPs below. If you can't find your IDP in the list, let us know and we'll investigate. You may also consult your IDP's documentation directly.
See: Managed groups: Okta
Please contact our support team, we'll be happy to help you set up your identity provider with group claims.
Once the identity provider is configured, run a SAML authentication test to verify that the identity provider actually sends the expected group claims. If group claims are detected, the test page will notify you of this and provide options for further configuration.
Also "No change" and "Will be removed" are valid messages for changes for Managed groups.
Setting up groups in Default groups will give the selected groups to all users logging in via SAML. So in the example below, all users will be given the group Users during login. The group Users is only an example.