Just-in-time provisioning, or JIT, allows user accounts to be created, updated and activated in the Internal user directory on-the-fly, when they log in with SAML. User data is provided by the identity provider through attributes included in the SAML response. The attributes to use can be further customized through attribute mappings at both the IDP side, and in Kantega SSO.
JIT provisioning can be combined with SAML group claims to keep the user's group memberships up to date.
Connectors are currently available for Azure, GSuite and Okta
. Configuring a connector gives you a synchronized user directory
with your cloud users and memberships, functionally similar to the LDAP and Crowd directories you are already familiar with. A background process regularly retrieves updates from the cloud provider, keeping users and group memberships up to date. The synchronization interval can be configured, the default is every hour.
You can also configure filters to limit the set users being exported to Atlassian. The screenshot below shows an example of how Group filters can be defined to only include members of particular groups.
Which provisioning option to use isn't always obvious, and they both have their pros and cons. Below, we've tried to summarize the main points.
+ Scales to an "unlimited" number of user accounts (whatever the user database can handle - we've never seen anyone hit a practical limit)
+ User accounts only created when they're needed.
+ Groups can be kept in sync every time the user logs in
+ No network dependencies: All info passed through the SAML token.
+ Can be used with any SAML provider.