Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIT Provisioning with Keycloak SAML to servicedesk URL redirects first-time users to Login Page

Vaibhav Verma
Vaibhav Verma
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 6, 2026

Environment

  • Identity Provider: Keycloak (SAML 2.0)
  • Atlassian product: Jira Service Management (JSM)
  • Domain verification: Enabled (verified domain)
  • Provisioning method: JIT (Just-in-Time) via SAML

What I'm trying to achieve

I want first-time users to be automatically provisioned via JIT and land directly on a specific JSM Help Center/portal page after authentication. The goal is a seamless SSO experience where:

  1. User clicks a link (e.g., a ticket portal URL)
  2. Gets redirected to Keycloak for authentication
  3. JIT provisioning creates/grants their account access to JSM automatically
  4. User lands on the intended servicedesk page

The Problem

I'm passing the servicedesk portal URL (e.g., <base_url>/servicedesk/customer/portal/X) in the SAML RelayState parameter.

Observed behavior for first-time users:

  • When RelayState = servicedesk/portal URL → User is redirected to the Help Center login page instead of being logged in and taken to the portal
    image.png
  • When RelayState = <base_url>/jira (or any non-servicedesk URL) → User is shown a screen saying they "need to request access" — which is also not the desired behavior, but at least they're authenticated and can request access from there.
    Screenshot 2026-03-06 at 7.47.00 PM.png

In both cases, returning/already-provisioned users land on the correct page without any issues. The problem is isolated to first-time JIT-provisioned users.

What I've tried

  • Passing different variations of the servicedesk URL in RelayState
  • Ensuring the SAML assertion includes the correct attributes for JSM product access
  • Confirming that JIT provisioning itself works (users do get created in Atlassian)

Questions

  1. Is there a known issue or limitation with RelayState and the JSM Help Center for JIT-provisioned users on their first login?
  2. Is there a specific URL format or path that should be used in RelayState to correctly redirect first-time users to the servicedesk portal post-provisioning?
  3. Is there any recommended workaround — such as a landing page, a specific Atlassian URL that handles post-provisioning redirects, or a JSM-specific SSO entry point?

Any guidance from the community or Atlassian staff would be greatly appreciated!

Answer
Watch
Like Be the first to like this
37 views

1 answer

0 votes
Marc -Devoteam-
Marc -Devoteam-
Community Champion
March 6, 2026

Hi @Vaibhav Verma 

If a user is not listed within Atlassian (user doesn't exist yet) they will land on the help center portal 

See SSO for customer only accoutn, https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-for-portal-only-customers/ 

View More Comments
Vaibhav Verma
Vaibhav Verma
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 6, 2026

No the user is getting created in Atlassian at the time of SAML login to Atlassian from keycloak. I want at that time when user is getting created should also get JSM permission and user should be able to see help center screen.

Like
Marc -Devoteam-
Marc -Devoteam-
Community Champion
March 6, 2026

Hi @Vaibhav Verma 

But this doesn't answer my question. 

Is the user already created in Atlassian before the user gets to the portal?

Is the created user listed as a customer on the project before the user gets redirected to the portal?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Management
Jira Service Management
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security