This guide provides the steps required to configure Provisioning for Atlassian Jira Cloud.
A new Atlassian Cloud application has been published in the the Okta Integration Network (OIN) that supports both SSO and SCIM Provisioning. To fully take advantage of this application, you need to have an Atlassian Access subscription: See https://www.atlassian.com/software/access for details.
If you already have this subscription, we recommend that you use the Atlassian Cloud application for both SSO and provisioning. If you already have existing instances of the old Jira/Confluence applications and would like to migrate your users to the new Atlassian Cloud application,follow the instructions in the Atlassian Migration Guide.
Important: Atlassian will no longer support the ability to push profile updates (Update User Attributes feature), including all user attributes previously supported, and sync passwords (Sync Password feature) for users once you migrate to Atlassian Account.
Atlassian reports working towards SCIM support for their applications which should enable this functionality again, and is targeting completion for July 2017 (see https://Jira.atlassian.com/browse/ID-6305). Please contact Atlassian Support for more specific updates on the status of this project.
In the meantime, we recommend that you turn off Sync Password functionality in Okta under the Provisioning tab for existing Jira and Confluence integrations. The rest of provisioning (create users, deactivate users, groups push and group assignments) will continue to work. In order for groups push and groups assignments to continue to work, you need to make sure the Update User Attributes feature is enabled (under the Provisioning tab).
Okta's Atlassian Jira Cloud integration supports the following Jira version 7 products, whether you are using one, or a combination of these Jira products:
Jira Core
Jira Software
Jira Service Desk
The Atlassian Jira Cloud application supports the following features:
Push new users
New users created through OKTA are also created in the third party application.
Push profile update
Push Profile updates can update group membership only. See Notes at the beginning of this document.
Push password update
Atlassian no longer supports Sync Password functionality. See Notes at the beginning of this document.
Import new users
New users created in the third party application are downloaded and turned in to new AppUser objects, for matching against existing OKTA users.
Import profile updates
Updates made to a user's profile in the third party application are downloaded and applied to the profile fields stored locally in OKTA. If the app is the system of record for the user, changes made to core profile fields (email, first name, last name, etc) are applied to the Okta user profile. If the app is NOT the system of record for the user, only changes made to app-specific fields are applied to the local user profile.
Push Group
Groups and their members can be pushed to remote systems. You can find more information about using group push operations (including Group Push enhancements) here: Using Group Push.
Configure your Provisioning settings for Atlassian Jira Cloud as follows:
Check the Enable API Integration box.
Enter your API CREDENTIALS:
Admin Email: Enter the admin email that has rights for user management.
API Token (note that this was formerly the Admin Password which has been deprecated by Atlassian): Enter the API token generated using the admin account (See https://confluence.atlassian.com/cloud/api-tokens-938839638.html for more information about how to obtain an API token).
All User’s Group: A group name, from which users are imported from remote side.
Note: Depending on organization settings, the All User's Group property may be not usable. By default, user imports are from a specified group only.Click Save:
Select To App in the left panel, then select the Provisioning Features you want to enable:
Click Next to proceed to the Assign to People tab.
On the Assign to People tab, you can assign any existing OKTA users to the application.
Click Next to complete provisioning setup.
Atlassian Jira Cloud does not support User's Schema Discovery.
If you run into problems assigning users via an OKTA group to Jira, and receive an error that states the group does not exist in Jira anymore, as shown below:
Do the following:
On the application list page, click Refresh Application Data.
Select your application, open the Group tab, then click Edit. Note that the missing group will NOT be displayed in the group list. Then add a new group, or remove any existing group from this list.
Click Save.
Open the Dashboard and retry the related provisioning tasks.
