It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Auto-Deactivation Management: Detection from the IdP and Deactivation in Atlassian Access.

- Technical situation : Keycloak as an Identity Provider, Atlassian Access for SSO with Jira Software Cloud, Jira Service Desk Cloud and Confluence Cloud. Possible Script Runner usage.

 

Hello everyone,

Is it possible in Atlassian Access to detect when a user has been deactivated or deleted from the identity provider (here, Keycloak)?

I know that user provisioning is not automatic between Atlassian Access and Keycloak as Keycloak doesn't support SCIM. They can only communicate via SAML and, at best, user provisioning can be done in a Just in Time fashion with Atlassian Access (see Keycloak's wiki about user provisioning and Atlassian Access' doc about Just in time provisioning via SAML)

For our client, it's a big security issue to manage users on both sides. Do you please have any pointer as to what to do when an employee leaves the company?

Here are some of our ideas : 

1) If it's possible, raising an event in Atlassian Access when a user is detected as deactivated from the identity provider, and then deactivate the said user in Atlassian Access (for Jira Software Cloud, JSD Cloud and Confluence Cloud). Maybe via Script Runner.

2) Or, run a batch script everyday to check on user licenses and deactivate unlicensed users in Atlassian Access / JS+JSD+Confluence

I'm open to any other ideas.

Thanks in advance,

Regards,

Dylan

2 answers

1 accepted

1 vote
Answer accepted
Dave Meyer Atlassian Team Jun 21, 2020

Hi @Dylan_Pokun ,

If you can detect when a user is no longer active in Keycloak, you can set up a script to call the account deactivation API for that user.

You would use this API to look up email and accountId mappings for users in an organization: https://developer.atlassian.com/cloud/admin/organization/rest/#api-orgs-orgId-users-get

And this one to deactivate the account programmatically based on the accountId: https://developer.atlassian.com/cloud/admin/user-management/rest/#api-users-account-id-manage-lifecycle-disable-post

Regards,

Dave

Hi Dylan,

I can confirm that it will not be possible to achieve your requirement with ScriptRunner for Jira Cloud as Atlassian does not provide any API's that I am aware of to automate actions inside Atlassian Access or Keycloak in Jira cloud.

However, I would advise contacting Atlassian directly via there support portal to ask them if they can advise on if your requirement to be achieved and if so how to do it.

Regards,

Kristian

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

We're launching improved navigation for admins

Hi Atlassian Community, My name is Avni Barman and I am a Product Manager on the Atlassian Access team! One of my top priorities is to help make the administrator's life easier through improved pro...

267 views 0 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you