Working with JIT provisioning

JIT user provisioning

On this page

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Compatibility Advise

The steps outlined in this article for configuring Jira's Single Sign-On (SSO) with Just-In-Time (JIT) provisioning apply to versions prior to 8.15. In these earlier versions, SSO functionality was provided through an installed app rather than being natively bundled with Jira Data Center.

Important: Atlassian has deprecated these older versions and highly recommends upgrading to the latest version of Jira Data Center (8.15 or later), where SSO capabilities are built-in, offering enhanced security and improved performance.

Continuing to use deprecated versions may expose your system to security vulnerabilities and compatibility issues. Please consider upgrading to ensure you have the latest features and security enhancements.

Always make a backup before installing, upgrading, or performing any kind of transformative operation on your instance.

Just-in-time user provisioning (JIT provisioning) allows users to be created and updated automatically when they log in through SAML SSO or OpenID Connect (OIDC) SSO to Atlassian Data Center applications such as Jira, Confluence, or Bitbucket.

JIT provisioning is a part of the SSO for Atlassian Data Center app. You can download the app from the Atlassian Marketplace

Installing 

Install the app by uploading the JAR to your Atlassian Data Center product. 

  1. Download the SSO for Atlassian Data Center JAR from the Atlassian Marketplace

  2. In your Atlassian product, go to Administration Manage apps > Manage apps.

  3. Select Upload app.

  4. From your computer, choose the JAR file for the JIT provisioning app.

  5. Select Upload.

    The app should now appear as enabled in the list of user-installed apps.

Configuring

  1. In your Atlassian Data Center product, go to SSO 2.0 configuration:

    • For Jira applications, go to Administration  > System > SSO 2.0 Authentication
    • For Confluence, go to Administration  > General Configuration > SSO 2.0
    • For Bitbucket, go to Administration  > Accounts > SSO 2.0 Authentication

  2. Set the authentication method to SAML or OpenID Connect.

  3. Make sure the Username mapping field is filled correctly.
    This field affect how JIT provisioning functions. For more information, see Configuring the username mapping field.

  4. Check Create users on login to the application.

  5. Configure your user data mappings.

    For more information on how to configure these fields, see: JIT user provisioning

  6. Select Save configuration.

    Your JIT app is now configured. To test your configuration, see JIT Provisioning - How to test your attribute mappings.

Upgrading

To upgrade, follow the same steps as listed above for installing the app

Disabling

  1. Clear Create users on login to the application.

  2. Select Save configuration.

Finding JIT provisioned users

If you need to a list of of users which were provisioned just-in-time, there are two ways to find out:

  • HTTP request

When logged in as a system administrator, send a GET request to: 

https://<product-base-url>/rest/authconfig/latest/jit-users


  • SQL query

Download and run the following query against your product:
list_jit_provisioned_users.sql

Last modified on Mar 27, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.