Configure user provisioning
User provisioning integrates an external user directory with your Atlassian Cloud products. This page describes how to configure user provisioning for your identity provider. For the operations that user provisioning supports, see User provisioning features for more details.
After you configure user provisioning, you manage all user attributes and group memberships from your IdP.
As an organization admin, there are a couple of things you need to do before you can provision external users into your Cloud sites and products:
- Get the user provisioning functionality for your identity provider.
- Make sure you're an admin for an Atlassian Cloud organization. See Organization administration.
- Verify one or more or your domains in your Cloud organization. See Domain verification.
- Subscribe to Atlassian Access from your Atlassian Cloud organization. See Apply Atlassian Access policies and features.
- Make sure you're an admin for at least one Jira or Confluence site that you want to grant synced users access to.
The instructions on this page only provide steps for configuring user provisioning in your Atlassian organization. Your identity provider may provide more setup instructions for what do from their side.
Create a SCIM token in Atlassian Cloud
From your organization at admin.atlassian.com,click Directory and then User provisioning.
While we make updates to the admin experience, you may not need to click Directory to get to User provisioning.
- Click Create a directory.
- Enter a name to identify the user directory, for example Okta users, then click Create.
Copy the values for Directory base URL and API key. You'll need those for your identity provider configuration later.
Make sure you store these values in a safe place, as we won't show them to you again.
- You'll now add Jira or Confluence sites to your organization so that provisioned users can be granted access to the products. See the user provisioning page for more details about why you want to add a site to your organization.
From the User provisioning page, click Add a site, select the site you want to add (e.g. example.atlassian.net), and follow the on-screen instructions.
Configure product access for the provisioned groups and users
- From the Atlassian product site (example.atlassian.net) you added in step 5 above, go to Product access and find the Confluence section. Click Add group and enter the name of the synchronized group. Click Grant access to confirm the change. Read more about how to configure product access.
- Confirm that the group is configured for product access:
Do not make a synced group from your identity provider a default group. This may cause collisions when attempting to add users to the product that are not managed via SCIM.