Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,558,933
Community Members
 
Community Events
184
Community Groups

What do we need to do in order to get OKTA SSO working in Jira Data Center

Edited
Kal
Kal Mar 21, 2023

We had some concerns we would like to address before enabling SSO in Data Center. We are currently using Crowd AD sync to pull in users from Active Directory. When we go to setup OKTA SSO what kinds of issues do we need to be aware of?

1. Will Application Access work the same as it does now? We can only grant new AD groups application access after the crows sync completes - Will this change once we setup OKTA SSO? How do we grant application access after moving to SSO?

2. Where can I confirm that the identity created within Jira by the AD/LDAP sync aligns with the identity provided by OKTA from OIDC or SAML? We need to know if these match and if so on what do they match on (i.e email)? 

Thanks again,

Kal

Answer
Watch
Like Be the first to like this
216 views

1 answer

0 votes
Benjamin S
Benjamin S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Mar 22, 2023 • edited

Hi @Kal

Okta SSO works like a standard SAML provider, so the SAML SSO for Jira Data Center applications guide applies here.

To address your questions:

Will Application Access work the same as it does now? We can only grant new AD groups application access after the crows sync completes - Will this change once we setup OKTA SSO? How do we grant application access after moving to SSO?

From my understanding, your current directory flow is: Active Directory -> Atlassian Crowd -> Jira DC.

Assuming you retain this directory configuration, nothing will change. Jira will still rely on Crowd group membership, which originates in AD. Any user that has the jira-software-users or jira-servicedesk-users group (or another group defined in the application access admin page) membership can log in to the respective Jira application.

The bundled Jira SSO app allows for just-in-time (JIT) user provisioning. JIT user provisioning automatically adds users to (or updates attributes/membership in) Jira's internal directory during SAML login. A downside to JIT is that users aren't automatically removed from Jira's internal directory when removed the SAML IdP. If you decide to use JIT, you would want to remove your external user directory from Jira.

Where can I confirm that the identity created within Jira by the AD/LDAP sync aligns with the identity provided by OKTA from OIDC or SAML? We need to know if these match and if so on what do they match on (i.e email)?

The username mapping setting on the Jira SSO configuration page allows you to specify which IdP attribute maps to the account username. You should use the attribute that Okta links to your AD sAMAccountNames or UPN.

Please let me know if this answers your question!

Thanks,
Ben

View More Comments
Kal
Kal Mar 23, 2023

Hello and thank you for your help. Very much appreciated. 

I have one follow up question/comment. Yes, its is true that our current directory flow is AD/Crowd/Jira DC. I just wanted to make sure that this configuration would be left in place after integrating with OKTA SSO...

Lastly, If we decided on OpenID rather than SAML would things change with how we setup OKTA SSO? 

Thank you again for your time,

Kal

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

See all events