Configure user provisioning
Provisioning is available for all Atlassian accounts, which means that you can create, update, and deactivate accounts from your identity provider. Syncing groups is only currently available for Jira products and Confluence and not yet available for Bitbucket.
User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning for your identity provider. For the operations that user provisioning supports, see User provisioning features for more details.
After you configure user provisioning, you manage all user attributes and group memberships from your identity provider.
There are a couple of things you need to do before you can provision external users into your sites and products:
- Get the user provisioning functionality for your identity provider.
- Make sure you're an admin for the Atlassian organization. See Organization administration.
- Verify one or more or your domains in your organization. See Domain verification.
- Subscribe to Atlassian Access from your organization. See Atlassian Access security policies and features.
- Make sure you're an admin for at least one Jira or Confluence site that you want to grant synced users access to.
The instructions on this page only provide steps for configuring user provisioning in your Atlassian organization. Your identity provider may provide more setup instructions for what do from their side.
Create a SCIM token
- From your organization at admin.atlassian.com,click Directory and then User provisioning.
- Click Create a directory.
- Enter a name to identify the user directory, for example Okta users, then click Create.
Copy the values for Directory base URL and API key. You'll need those for your identity provider configuration later.
Make sure you store these values in a safe place, as we won't show them to you again.
- You'll now add Jira or Confluence sites to your organization so that provisioned users can be granted access to the products. See the user provisioning page for more details about why you want to add a site to your organization.
From the User provisioning page, click Add a site, select the site you want to add (e.g. example.atlassian.net), and follow the on-screen instructions.
Configure product access for the provisioned groups and users
To grant product access to any new provisioned users, set up product access for existing groups.
- From the site (example.atlassian.net) you added in the previous step, go to Product access and find the Confluence section.
- Click Add group and select or enter the name of the synchronized group.
- Click Add groups to finish giving the group product access.
You'll see a success flag that confirms the group is configured for product access. To learn more about configuring product access, see Update product access settings.
Do not make a synced group from your identity provider a default group. This may cause collisions when attempting to add users to the product that are not managed via SCIM.