Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,553,440
Community Members
 
Community Events
184
Community Groups

Auto-Deactivation Management: Detection from the IdP and Deactivation in Atlassian Access.

Dylan Pokun
Dylan Pokun Jun 17, 2020

- Technical situation : Keycloak as an Identity Provider, Atlassian Access for SSO with Jira Software Cloud, Jira Service Desk Cloud and Confluence Cloud. Possible Script Runner usage.

 

Hello everyone,

Is it possible in Atlassian Access to detect when a user has been deactivated or deleted from the identity provider (here, Keycloak)?

I know that user provisioning is not automatic between Atlassian Access and Keycloak as Keycloak doesn't support SCIM. They can only communicate via SAML and, at best, user provisioning can be done in a Just in Time fashion with Atlassian Access (see Keycloak's wiki about user provisioning and Atlassian Access' doc about Just in time provisioning via SAML)

For our client, it's a big security issue to manage users on both sides. Do you please have any pointer as to what to do when an employee leaves the company?

Here are some of our ideas : 

1) If it's possible, raising an event in Atlassian Access when a user is detected as deactivated from the identity provider, and then deactivate the said user in Atlassian Access (for Jira Software Cloud, JSD Cloud and Confluence Cloud). Maybe via Script Runner.

2) Or, run a batch script everyday to check on user licenses and deactivate unlicensed users in Atlassian Access / JS+JSD+Confluence

I'm open to any other ideas.

Thanks in advance,

Regards,

Dylan

Answer
Watch
Like e_kentsa-nlep_ext likes this
883 views

2 answers

1 accepted

1 vote
Answer accepted
Dave Meyer
Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 21, 2020

Hi @Dylan Pokun ,

If you can detect when a user is no longer active in Keycloak, you can set up a script to call the account deactivation API for that user.

You would use this API to look up email and accountId mappings for users in an organization: https://developer.atlassian.com/cloud/admin/organization/rest/#api-orgs-orgId-users-get

And this one to deactivate the account programmatically based on the accountId: https://developer.atlassian.com/cloud/admin/user-management/rest/#api-users-account-id-manage-lifecycle-disable-post

Regards,

Dave

Reply
0 votes
Kristian Walker (Adaptavist)
Kristian Walker (Adaptavist)
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Jun 18, 2020

Hi Dylan,

I can confirm that it will not be possible to achieve your requirement with ScriptRunner for Jira Cloud as Atlassian does not provide any API's that I am aware of to automate actions inside Atlassian Access or Keycloak in Jira cloud.

However, I would advise contacting Atlassian directly via there support portal to ask them if they can advise on if your requirement to be achieved and if so how to do it.

Regards,

Kristian

Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

See all events