Configure user provisioning with Google Cloud
Provisioning is available for all Atlassian accounts, which means that you can create, update, and deactivate accounts from your identity provider. Syncing groups is only currently available for Jira products and Confluence and not yet available for Bitbucket.
User provisioning integrates an external user directory with your Atlassian organization. This page describes how to configure user provisioning when Google Cloud is your identity provider. For the operations that user provisioning supports, see User provisioning features for more details.
After you configure user provisioning, you can manage user attributes and group memberships from your identity provider.
To get started, we recommend trying these setup instructions with test accounts and test groups in Google Cloud, e.g. atlassian-test-jira-users and atlassian-test-confluence-users.
Starting with test accounts can help to avoid disruption when someone unintentionally unassigns users from the Atlassian app. When you unassign users from the app, you disable their accounts, which also removes their access to Atlassian products.
There are a couple of things you need to do before you can provision external users into your sites and products:
Get the user provisioning functionality for your Google account. See Google Cloud Identity Help.
Make sure you're an admin for the Atlassian organization. See Organization administration.
Verify one or more or your domains in your organization. See Domain verification.
Subscribe to Atlassian Access from your organization. See Security with Atlassian Access.
You should be an admin for at least one Jira or Confluence site that you want to grant synced users access to.
Step 1. Create a SCIM Directory
From your organization at admin.atlassian.com, click Directory and then User provisioning.
Choose User provisioning on the left, then click Create a directory.
Enter a name to identify the user directory, for example Google Cloud users, then click Create.
Copy the values for Directory base URL and API key. You'll need those for when you configure the Google Cloud application later.
Make sure you store these values in a safe place, as we won't show them to you again.
Now add Jira or Confluence sites to your organization. You need to do this so that provisioned users can be granted access to the products.
On the 'User provisioning' page, click Add a site, select the site you want to add (e.g. example.atlassian.net), and follow the on-screen instructions.
Step 2. Enable SCIM API Integration in Google Cloud Admin
For this step you'll need the directory base URL and bearer token from Step 1. Create a SCIM token above.
Log in to Google Cloud Admin and add the Atlassian Cloud application under SAML apps.
Currently, Google Cloud’s user provisioning setup requires that you finish SAML setup first; refer to Google Cloud’s documentation here.
Click Set Up User Provisioning.
Enter the API key you created in your Atlassian organization, followed by the Directory base URL.
Configure any attribute mapping you need. Google’s defaults are designed to work with the Atlassian app out of the box, but you can make any additional changes for your organization’s needs here.
Select the groups from Google with users that you want to sync. Because Google doesn’t currently support the Groups entity in the SCIM specification, users will sync to the All members for directory - <directory_id> group in your Atlassian organization.
Step 3. Verify emails are the same for SCIM and SAML in Google Cloud Admin
User provisioning uses an email address to identity a user in the Atlassian app and then create a new Atlassian account or link to an existing Atlassian account. As a result, if the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in the Google Cloud app, the user could end up with duplicate Atlassian accounts.
To avoid duplicate accounts, make sure the email address attribute that maps user account is the same for SAML SSO and SCIM user provisioning:
From the Atlassian app in under the SAML applications tab in Google Cloud Admin, note the field that maps to the Primary email attribute. The default is email, as shown in the screenshots.
Step 4: Set up product access for provisioned users
To grant product access to any new provisioned users, set up product access for existing groups.
From the site (example.atlassian.net) you added in the previous step, go to Product access and find the Jira Service Desk section.
Click Add group and select or enter the name of the automatically-generated group containing all SCIM-synced users.
Click Add groups to finish giving the group product access.
You'll see a success flag that confirms the group is configured for product access. To learn more about configuring product access, see Update product access settings.
Do not make the group of all SCIM-synced users a default group. This may cause collisions when attempting to add users to the product that are not managed via SCIM.