You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
Does user / group sync feature of Atlassian Access through OKTA require user provisioning functionality / lifecycle management OR can we somehow sync the user group membership info as part of the SAML assertion?
I don't use Okta but with other IDP providers I have had to set up the SSO and then SCIM separate as the user provisioning happens separately from the SSO portion.
I have done this for
Everytime I have done this after setting up the SCIM you go back to the provider that will provision the users and apply the groups from there. Then in groups you should see those groups provision with a lock on them as the same as the directory in the SCIM.
Thanks @Aaron Geister , we do have SSO enabled but from what I understand the user provisioning / lifecycle management feature is a prerequisite for OKTA (at least according to this doc here
I've spoken with our Identity and Access Management team and from what I understand the lifecycle management in OKTA is simply cost-prohibitive for companies of our size, as such I'm wondering if there's some way of automating user provisioning / de-provisioning / group membership syncs without having to pay for OKTA's lifecycle management features OR writing our own code to manage user group memberships in Atlassian.
Thanks for the clarification of the situation. I am sure if its the SCIM portion and that is on a paid add-on then you would have to create your own way of doing this possibly by API or move to another IDP.
I am not a hundred percent sure as I have always use some type of identity management. I know you get the SCIM provision with JumpCloud, Azure, Onelogin. I didn't know there was an add-on for the rights to use that SCIM portion in Okta.
The only other thing I could offer with help is to say maybe its time to look at another IDP provider like JumpCloud. I can assist with this if you need and you can reach out to me from my profile or email me at email@example.com and the other way is to use google directory sync. If that your email provider. I believe if you do so you can't use okta as SSO.
Yup, I don't think we have an option to use another IdP and the connector between OKTA and Atlassian certainly makes it very convenient to provision / deprovision users and sync groups - the only problem is that it's cost prohibitive for us. Sounds like someone (probably me) will be rolling up his sleeves and get coding.