Hi @Rory Davidson — this trips a lot of folks up.
Short answer: for Atlassian Cloud, everyone still signs in as an Atlassian account. SAML SSO (with Keycloak in your case) doesn’t replace the account model; it just handles the authentication.
The good news is you don’t have to pre-create accounts manually: with Atlassian Access and a verified domain, you can enable just-in-time creation so a managed Atlassian account is created on the user’s first SSO login. That usually removes the “please create an Atlassian account first” step you’re seeing.
If you also want lifecycle management (create/update/deactivate from Keycloak), that’s done via SCIM provisioning. Atlassian doesn’t ship a native Keycloak connector, so teams either use a SCIM bridge/plug-in or manage users in Atlassian Admin and rely on JIT.
A quick checklist that tends to resolve most setups:
- Verify your email domain in admin.atlassian.com and have Atlassian Access active.
- Configure SAML using the metadata/values shown in your org’s SAML settings (don’t copy generic examples). Ensure NameID maps to the user’s email.
- Turn on enforcement for SSO and (optionally) JIT account creation.
- Test SP-initiated login first (from a product URL) before trying IdP-initiated flows.
Keycloak works fine as the IdP with those pieces in place. If it helps, share a redacted screenshot of your attribute mappings and we can sanity-check them.
— Mia Tamm from Simpleasyty
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.