Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,460,447
Community Members
 
Community Events
176
Community Groups

Is it possible to setup group membership sync between Atlassian and OKTA as part of SAML assertion

Hi there,

Does user / group sync feature of Atlassian Access through OKTA require user provisioning functionality / lifecycle management OR can we somehow sync the user group membership info as part of the SAML assertion?

Thank you,

Andrey

1 answer

1 accepted

1 vote
Answer accepted

I don't use Okta but with other IDP providers I have had to set up the SSO and then SCIM separate as the user provisioning happens separately from the SSO portion.

I have done this for
*Onelogin
*Azure
*JumpCloud

Everytime I have done this after setting up the SCIM you go back to the provider that will provision the users and apply the groups from there. Then in groups you should see those groups provision with a lock on them as the same as the directory in the SCIM.

Thanks @Aaron Geister , we do have SSO enabled but from what I understand the user provisioning / lifecycle management feature is a prerequisite for OKTA (at least according to this doc here

https://support.atlassian.com/provisioning-users/docs/configure-user-provisioning-with-okta

I've spoken with our Identity and Access Management team and from what I understand the lifecycle management in OKTA is simply cost-prohibitive for companies of our size, as such I'm wondering if there's some way of automating user provisioning / de-provisioning / group membership syncs without having to pay for OKTA's lifecycle management features OR writing our own code to manage user group memberships in Atlassian.

Thanks for the clarification of the situation. I am sure if its the SCIM portion and that is on a paid add-on then you would have to create your own way of doing this possibly by API or move to another IDP.


I am not a hundred percent sure as I have always use some type of identity management. I know you get the SCIM provision with JumpCloud, Azure, Onelogin. I didn't know there was an add-on for the rights to use that SCIM portion in Okta.

The only other thing I could offer with help is to say maybe its time to look at another IDP provider like JumpCloud. I can assist with this if you need and you can reach out to me from my profile or email me at ageister@project-icon.com and the other way is to use google directory sync. If that your email provider. I believe if you do so you can't use okta as SSO.

Like Steffen Opel _Utoolity_ likes this

Yup, I don't think we have an option to use another IdP and the connector between OKTA and Atlassian certainly makes it very convenient to provision / deprovision users and sync groups - the only problem is that it's cost prohibitive for us. Sounds like someone (probably me) will be rolling up his sleeves and get coding.   

Like Aaron Geister likes this

Good luck and check into the API as I believe there might be away to do so with API.

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events