User provisioning overview

User provisioning allows organizations to integrate an external directory with their Atlassian Cloud Organization to automatically update and manage users and groups from their existing centralized directory with an Atlassian Guard subscription. Through Atlassian Guard, organizations can take advantage of enterprise-grade identity management features across their verified domains by implementing authentication policies. Authentication policies provide the capability to enforce modern authentication methods such as SAML (SSO) and (MFA) Multi-factor authentication on defined sets of users when accessing your cloud instance. 

• • Understand user provisioning

  • Understand authentication policies

Customer accounts in Jira Service Management

Customer accounts for Jira Service Management are unlicensed users that can submit requests to your teams and are provided free and are non-billable even when provisioned through Atlassian Guard. There are two types of Customer accounts in Jira Service Management identified as internal and external user accounts. 

Types of Customer accounts

Customer account types typically align with an organization's direct employees (internal accounts) created as Atlassian accounts or users outside of an organization's managed domains (external accounts) created as portal-only accounts. 

• • Atlassian accounts are recommended for internal employees and offer many advantages including additional account sign-on options (e.g. Google, Microsoft, Slack etc), used with authentication policies, and can be granted additional product access.
    • Atlassian accounts can access your help center through your cloud site URL (i.e. https://site-name.atlassian.net/) or a portal specific URL (i.e https://site-name.atlassian.net/servicedesk/customer/portal/3) and submit requests to a dedicated service project email channel. 
  • Portal-only accounts are most commonly used for external users outside of your company to request support and can only be granted access to a service project through the portal's specific URL (i.e https://site-name.atlassian.net/servicedesk/customer/portal/3) or email channel.
    • Portal-only accounts cannot be used with authentication policies to enforce SAML single sign-on (SSO) as these are designed to be used with Atlassian accounts. However, you now have the option to use an additional SAML integration to provide SSO to your portal-only customer accounts. 

Learn more about What different account types can customers have?

What type of account is best for my users?

Whether your team is managing internal users, external users, or need to take a hybrid approach based on the user's domain, you have the flexibility to choose user provisioning or self sign-up options that work best for your user on-boarding experience. To decide what type of account is best for users, please take some time to review the best practices article (below).

Learn more about Choosing the right approach to Customer Management in Jira Service Management

Understanding the new Jira Service Management Customer role

A dedicated product access role for JSM Customers has been introduced to provide more granular control over which end-users are granted Customer access to individual sites. A provisioned user with no product access is no longer automatically considered a JSM customer. 

• This role can be granted during SCIM user provisioning by synchronizing a user group from your external directory (IdP - Identity Provider) or granted when users access the portal using SAML Just-in-Time (JIT) provisioning through configured authentication policies, which will create an Atlassian account at login.
• When using self sign-up flows, an organization's user access settings allow for managing the type of account created based on the user's email domain. Jira Service Management's product level customer access settings combined with organization level approved domain settings determine the type of account created for the specified domain's users when accessing support portals.

Learn more about Changing access settings for your customers for Jira Service Management and Controlling how users get access to products based on your organization's user access settings. 

Using SCIM user provisioning for Jira Service Management Customers

User provisioning with SCIM provides the ability to create, link, and deactivate Atlassian accounts from your integrated external directory (IdP - Identity Provider).  To provide the Jira Service Management Customer role at the time of user provisioning, a user group can be created and synchronized from the external directory with the Customer role granted in the organization's product access settings. The role can be granted from product management or user group management panels in the cloud organization's Admin Hub (admin.atlassian.com) based on the instance's current user management experience. 

This configuration grants users immediate access upon provisioning to log into a portal or submit issues using the email channel to any Open support portal on your help center.  For restricted service projects, you can add the group to the Project settings > People panel with the Service Desk Customer role to provide portal access upon account creation. There are limits on the total number of users, groups and user group size that can be provisioned using Atlassian Guard which can impact this configuration option.

JSDCLOUD-12954 - Getting issue details... STATUS

 Centralized User Management             

Original User Management

Using SAML Just-in-Time User provisioning for Jira Service Management Customers

SAML can also be used to provision users to your Atlassian cloud platform and from your external directory (IdP) when they authenticate using SSO leveraging SAML Just-in-Time provisioning (JIT). Provisioning users using SAML will allow for the creation of Atlassian accounts when they sign into a customer portal for the first time.  

Learn more about Controlling how users get access to products per user access settings and Jira Service Management – Internal customers: Just-in-time community article that outlines this feature

Allowing sign-up to Jira Service Management customer portals

Jira Service Management customer access settings control if self sign-up for the portal is allowed for either internal or external customer accounts. When configuring SAML Just-in-Time provisioning, which provides Atlassian account provisioning to your cloud organization, the current organization level user access settings will need to be enabled to support customer account creation for internal accounts with approved domains.

Learn more about Changing access settings for your customers and Approved domain settings for your organization.

Jira Service Management Customer access settings

 User access settings                                                                                                         

Approved domain settings     

Using the new Jira Service Management portal-only customer SAML integration

Atlassian administrators now have the option to enforce SAML SSO for portal-only (external) customers to enhance the overall security posture of their environment. An additional IdP integration will be necessary to configure SSO with your site's Jira Service Management product and requires that you setup SAML outside of any pre-configured Atlassian Cloud applications which are designed for use with Atlassian accounts. This integration also provides the option to use Just-in-Time provisioning capabilities to create portal-only accounts for accessing Jira Service Management and within your connected external directory.

To access setup and configuration of SSO authentication for portal-only customers, you can navigate to Jira Settings > Products > Jira Service Management > Authentication or from your Atlassian organization administration hub (admin.atlassian.com). 

 Jira Service Management Product Configuration                                                                           

Atlassian Organization Administration hub (admin.atlassian.com)