Is it possible to setup group membership sync between Atlassian and OKTA as part of SAML assertion

Andrey Popov August 26, 2021

Hi there,

Does user / group sync feature of Atlassian Access through OKTA require user provisioning functionality / lifecycle management OR can we somehow sync the user group membership info as part of the SAML assertion?

Thank you,

Andrey

2 answers

1 accepted

1 vote
Answer accepted
Aaron Geister
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 26, 2021

I don't use Okta but with other IDP providers I have had to set up the SSO and then SCIM separate as the user provisioning happens separately from the SSO portion.

I have done this for
*Onelogin
*Azure
*JumpCloud

Everytime I have done this after setting up the SCIM you go back to the provider that will provision the users and apply the groups from there. Then in groups you should see those groups provision with a lock on them as the same as the directory in the SCIM.

Andrey Popov August 26, 2021

Thanks @Aaron Geister , we do have SSO enabled but from what I understand the user provisioning / lifecycle management feature is a prerequisite for OKTA (at least according to this doc here

https://support.atlassian.com/provisioning-users/docs/configure-user-provisioning-with-okta

I've spoken with our Identity and Access Management team and from what I understand the lifecycle management in OKTA is simply cost-prohibitive for companies of our size, as such I'm wondering if there's some way of automating user provisioning / de-provisioning / group membership syncs without having to pay for OKTA's lifecycle management features OR writing our own code to manage user group memberships in Atlassian.

Aaron Geister
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 26, 2021

Thanks for the clarification of the situation. I am sure if its the SCIM portion and that is on a paid add-on then you would have to create your own way of doing this possibly by API or move to another IDP.


I am not a hundred percent sure as I have always use some type of identity management. I know you get the SCIM provision with JumpCloud, Azure, Onelogin. I didn't know there was an add-on for the rights to use that SCIM portion in Okta.

The only other thing I could offer with help is to say maybe its time to look at another IDP provider like JumpCloud. I can assist with this if you need and you can reach out to me from my profile or email me at ageister@project-icon.com and the other way is to use google directory sync. If that your email provider. I believe if you do so you can't use okta as SSO.

Like Steffen Opel _Utoolity_ likes this
Andrey Popov August 26, 2021

Yup, I don't think we have an option to use another IdP and the connector between OKTA and Atlassian certainly makes it very convenient to provision / deprovision users and sync groups - the only problem is that it's cost prohibitive for us. Sounds like someone (probably me) will be rolling up his sleeves and get coding.   

Like Aaron Geister likes this
Aaron Geister
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 26, 2021

Good luck and check into the API as I believe there might be away to do so with API.

0 votes
Harold W Price July 4, 2023

Much has changed in the past two years. I am currently going through a migration to the Cloud using Okta as our IdP with Atlassian Access. 

The user provisioning / lifecycle management feature is NOT a prerequisite anymore. Users are automatically provisioned using the provided Atlassian Cloud app template.

 

Okta and Atlassian have great integration features for syncing users and groups.

  • Groups in Okta are used to choose the members to Provision.
  • You must individually select groups to get synced to Atlassian Cloud using the "Push Groups".  

Good luck

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events