Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Is it possible to setup group membership sync between Atlassian and OKTA as part of SAML assertion

Hi there,

Does user / group sync feature of Atlassian Access through OKTA require user provisioning functionality / lifecycle management OR can we somehow sync the user group membership info as part of the SAML assertion?

Thank you,


1 answer

1 accepted

1 vote
Answer accepted

I don't use Okta but with other IDP providers I have had to set up the SSO and then SCIM separate as the user provisioning happens separately from the SSO portion.

I have done this for

Everytime I have done this after setting up the SCIM you go back to the provider that will provision the users and apply the groups from there. Then in groups you should see those groups provision with a lock on them as the same as the directory in the SCIM.

Thanks @Aaron Geister , we do have SSO enabled but from what I understand the user provisioning / lifecycle management feature is a prerequisite for OKTA (at least according to this doc here

I've spoken with our Identity and Access Management team and from what I understand the lifecycle management in OKTA is simply cost-prohibitive for companies of our size, as such I'm wondering if there's some way of automating user provisioning / de-provisioning / group membership syncs without having to pay for OKTA's lifecycle management features OR writing our own code to manage user group memberships in Atlassian.

Thanks for the clarification of the situation. I am sure if its the SCIM portion and that is on a paid add-on then you would have to create your own way of doing this possibly by API or move to another IDP.

I am not a hundred percent sure as I have always use some type of identity management. I know you get the SCIM provision with JumpCloud, Azure, Onelogin. I didn't know there was an add-on for the rights to use that SCIM portion in Okta.

The only other thing I could offer with help is to say maybe its time to look at another IDP provider like JumpCloud. I can assist with this if you need and you can reach out to me from my profile or email me at and the other way is to use google directory sync. If that your email provider. I believe if you do so you can't use okta as SSO.

Like Steffen Opel _Utoolity_ likes this

Yup, I don't think we have an option to use another IdP and the connector between OKTA and Atlassian certainly makes it very convenient to provision / deprovision users and sync groups - the only problem is that it's cost prohibitive for us. Sounds like someone (probably me) will be rolling up his sleeves and get coding.   

Like Aaron Geister likes this

Good luck and check into the API as I believe there might be away to do so with API.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Atlassian Access

Atlassian Access Demo Q&A Recap

Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...

1,153 views 4 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you