[ACCESS-33] Enable user auto-provisioning and sync when SAML enabled

Type: Suggestion
Resolution: Fixed
Component/s: IdP SSO - Google Cloud (G Suite)
Labels:
- pse-request

Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

Problem Definition

When SAML is enabled, users have to be created both in the identity provider and Atlassian Cloud in order for a user to successfully log in.

Workaround (Optional)

Site-admins can enable self-sign up for certain domains, which will create the users automatically upon the first log in. However, this is still not ideal as users are not in sync between the IdP and Atlassian.

depends on

ID-6305 Provide SCIM API's for managing Atlassian account users

Closed

is related to

ACCESS-76 Enable group sync when SAML enabled

Closed

relates to

ACCESS-76 Enable group sync when SAML enabled

Closed

mentioned in: Page Failed to load; Page Failed to load; Page Loading...; Page Loading...; Page Loading...

(3 mentioned in)

Form Name

Dave Meyer added a comment - 13/Mar/2019 1:27 AM

Atlassian supports just-in-time provisioning for SAML with the following IdPs: Okta, Azure AD, Onelogin, Centrify, and Bitium as well as custom SAML configurations. Note that domain-based self signup must also be enabled on your site in order to immediately provision access to Jira or Confluence.

We also support user provisioning with SCIM for Okta, Azure AD, and Onelogin and have published our SCIM API for custom usage.

Dave Meyer
Atlassian Access Product Management

Dave Meyer added a comment - 13/Mar/2019 1:27 AM Atlassian supports just-in-time provisioning for SAML with the following IdPs: Okta, Azure AD, Onelogin, Centrify, and Bitium as well as custom SAML configurations. Note that domain-based self signup must also be enabled on your site in order to immediately provision access to Jira or Confluence. We also support user provisioning with SCIM for Okta, Azure AD, and Onelogin and have published our SCIM API for custom usage. Dave Meyer Atlassian Access Product Management

Dave Meyer added a comment - 06/Sep/2018 3:09 PM - edited

Hi jschroeder1412890939,

We're working hard to bring auto-provisioning to Access ASAP. If you're interested, we would love to have you fill out our survey about your identity provider and we will contact you when it's available: http://go.atlassian.com/access-survey (and you can share your feedback about potential features we're considering while you're at it )

Cheers,
Dave
Atlassian Access Product Management

Dave Meyer added a comment - 06/Sep/2018 3:09 PM - edited Hi jschroeder1412890939 , We're working hard to bring auto-provisioning to Access ASAP. If you're interested, we would love to have you fill out our survey about your identity provider and we will contact you when it's available: http://go.atlassian.com/access-survey (and you can share your feedback about potential features we're considering while you're at it ) Cheers, Dave Atlassian Access Product Management

John Schroeder added a comment - 04/Sep/2018 3:18 PM

Please up the priority on this request. This isn't just a matter convenience. It's a security concern, especially in an enterprise environment that deals in government CUI. The ability to automate steps in the deprovision process for departing employees (disabling accounts, revoking access to third-party applications, etc.) is relevant to the NIST 800-171 requirements.

John Schroeder added a comment - 04/Sep/2018 3:18 PM Please up the priority on this request. This isn't just a matter convenience. It's a security concern , especially in an enterprise environment that deals in government CUI. The ability to automate steps in the deprovision process for departing employees (disabling accounts, revoking access to third-party applications, etc.) is relevant to the NIST 800-171 requirements.

vlad (Inactive) added a comment - 30/Jul/2018 6:17 PM

Hello, ianwalsh

The just-in-time user provisioning via SAML is already supported. You can configure SAML integration in a way that creates user account on first login. You will need to allow users to join your site automatically (using a domain restriction, if desired) and setup default product access to ensure that automatically provisioned users join the site and have product license.

This ticket describes the capability to manage users and groups automatically, without relying on the SAML Just-in-time provisioning. This will be implemented using SCIM protocol to enable integration with Identity providers.

vlad (Inactive) added a comment - 30/Jul/2018 6:17 PM Hello, ianwalsh The just-in-time user provisioning via SAML is already supported. You can configure SAML integration in a way that creates user account on first login. You will need to allow users to join your site automatically (using a domain restriction, if desired) and setup default product access to ensure that automatically provisioned users join the site and have product license. This ticket describes the capability to manage users and groups automatically, without relying on the SAML Just-in-time provisioning. This will be implemented using SCIM protocol to enable integration with Identity providers.

Ian Walsh added a comment - 30/Jul/2018 6:05 PM

Could you explain why a SCIM API is necessary to enable auto-provisioning based on the SAML response attributes? The SAML Web SSO profile doesn't rely on any SCIM APIs and a user could be created in Atlassian Cloud simply based on attributes in the SAML response, as is done by many other cloud services utilizing SAML for SSO.

Ian Walsh added a comment - 30/Jul/2018 6:05 PM Could you explain why a SCIM API is necessary to enable auto-provisioning based on the SAML response attributes? The SAML Web SSO profile doesn't rely on any SCIM APIs and a user could be created in Atlassian Cloud simply based on attributes in the SAML response, as is done by many other cloud services utilizing SAML for SSO.

Rodrigo B. added a comment - 27/Jul/2018 1:11 PM - edited

Hello ruslan.m2,

Thank you for reaching out on this feature request, the feature to make this functionality possible is actually being tracked here:

https://jira.atlassian.com/browse/ID-6305

It's actively under development and an important feature to complement our Atlassian Access product, so stay tuned to watch that one too!

Thank you & best regards,

Rodrigo Becker
Atlassian Cloud Support

Rodrigo B. added a comment - 27/Jul/2018 1:11 PM - edited Hello ruslan.m2 , Thank you for reaching out on this feature request, the feature to make this functionality possible is actually being tracked here: https://jira.atlassian.com/browse/ID-6305 It's actively under development and an important feature to complement our Atlassian Access product, so stay tuned to watch that one too! Thank you & best regards, Rodrigo Becker Atlassian Cloud Support

Ruslan Mamedov added a comment - 27/Jul/2018 5:17 AM

Low priority

Ruslan Mamedov added a comment - 27/Jul/2018 5:17 AM Low priority

Igor Kovacevic added a comment - 11/Jan/2018 8:26 PM

As Ray explained, your proposed workaround is not acceptable for my use-case neither.

We are using external IDP and need this feature in order to work and be compliant.

Igor Kovacevic added a comment - 11/Jan/2018 8:26 PM As Ray explained, your proposed workaround is not acceptable for my use-case neither. We are using external IDP and need this feature in order to work and be compliant.

williamsray added a comment - 08/Jan/2018 8:24 PM

Self-sign up is also not ideal due to its inconsistent behavior and lack of notification to administrators. We may not want our users to all have the same permissions or access the same applications. New users would still have to contact their admin to have the permissions set, so why bother with self-sign up.

williamsray added a comment - 08/Jan/2018 8:24 PM Self-sign up is also not ideal due to its inconsistent behavior and lack of notification to administrators. We may not want our users to all have the same permissions or access the same applications. New users would still have to contact their admin to have the permissions set, so why bother with self-sign up.

Assignee:: Unassigned

Reporter:: Miguel Alonso

Votes:: 35 Vote for this issue

Watchers:: 39 Start watching this issue

Created:: 30/Nov/2017 5:18 PM

Updated:: 20/Jan/2020 11:37 AM

Resolved:: 13/Mar/2019 1:27 AM

Details

Description

Problem Definition

Suggested Solution

Workaround (Optional)

Attachments

Issue Links

Forms

Activity

Collapse comment: Dave Meyer added a comment - 13/Mar/2019 1:27 AM

Expand comment: Dave Meyer added a comment - 13/Mar/2019 1:27 AM

Collapse comment: Dave Meyer added a comment - 06/Sep/2018 3:09 PM, Edited by Dave Meyer - 06/Sep/2018 3:10 PM

Expand comment: Dave Meyer added a comment - 06/Sep/2018 3:09 PM, Edited by Dave Meyer - 06/Sep/2018 3:10 PM

Collapse comment: John Schroeder added a comment - 04/Sep/2018 3:18 PM

Expand comment: John Schroeder added a comment - 04/Sep/2018 3:18 PM

Collapse comment: vlad (Inactive) added a comment - 30/Jul/2018 6:17 PM

Expand comment: vlad (Inactive) added a comment - 30/Jul/2018 6:17 PM

Collapse comment: Ian Walsh added a comment - 30/Jul/2018 6:05 PM

Expand comment: Ian Walsh added a comment - 30/Jul/2018 6:05 PM

Collapse comment: Rodrigo B. added a comment - 27/Jul/2018 1:11 PM, Edited by Rodrigo B. - 27/Jul/2018 1:12 PM

Expand comment: Rodrigo B. added a comment - 27/Jul/2018 1:11 PM, Edited by Rodrigo B. - 27/Jul/2018 1:12 PM

Collapse comment: Ruslan Mamedov added a comment - 27/Jul/2018 5:17 AM

Expand comment: Ruslan Mamedov added a comment - 27/Jul/2018 5:17 AM

Collapse comment: Igor Kovacevic added a comment - 11/Jan/2018 8:26 PM

Expand comment: Igor Kovacevic added a comment - 11/Jan/2018 8:26 PM

Collapse comment: williamsray added a comment - 08/Jan/2018 8:24 PM

Expand comment: williamsray added a comment - 08/Jan/2018 8:24 PM

People

Dates