Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
8.15.1
-
None
-
8.15
-
19
-
Severity 2 - Major
-
103
-
Description
Summary
Currently, when using JIT provided by SSO for Atlassian Server and Data Center, users are updated every time they log in.
This can cause group membership from being lost if the groups are being managed directly in Jira's internal directory.
Environment
- Jira DC 8.15.x
- SAML SSO 4.1.5
- OIDC for SSO
- JIT enabled
Steps to Reproduce
- Login with a user for the first time in Jira, that is provided by the IDP;
- JIT will create the user in the internal directory as expected;
- Add Jira internal groups to the newly created user;
- Log out;
- Upon the next log-in, the Internal groups are removed and only the groups provided by the IDP with JIT will be kept.
Expected Results
Just like the Delegated LDAP directory, internal groups should be kept and new groups provided by the IDP
Actual Results
Users are removed from internal groups as they log in.
Workaround
Manage the groups on the IDP side, by creating groups with the same name as Jira's internal groups in the IDP, or disable JIT.
Attachments
Issue Links
- is related to
-
JRASERVER-71896 Update only new users with JIT
- Gathering Interest
-
JRASERVER-72066 Make JIT Group Attribute Sync optional and add Default Group Membership
- Gathering Interest
- causes
-
PS-77020 Loading...
- Mentioned in