• Type: Suggestion
• Resolution: Unresolved
• Priority: Low
• Fix Version/s: None
• Affects Version/s: None
• Component/s: None
• Labels:

  None

1. 

   screenshot-1.png

   47 kB

   12/Nov/2021 5:03 PM

[SAMLDC-77] As an administrator I would like to transform JIT synchronized groups names (aka group name mapping)

Renata Dornelas made changes - 21/Jan/2025 6:00 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 680592 ]

Dominique Cardin made changes - 10/Jul/2024 11:35 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 925424 ]

Dominique Cardin made changes - 30/Apr/2024 11:05 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 900110 ]

Aline Staudt made changes - 06/Sep/2022 6:04 PM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 680592 ]

Josh Ramos (Inactive) made changes - 22/Jul/2022 5:38 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 665161 ]

Owen made changes - 05/Apr/2022 7:05 AM

Workflow	Original: SAMLDC Workflow v2 [ 4083721 ]	New: JAC Suggestion Workflow 3 [ 4271284 ]
Status	Original: Open [ 1 ]	New: Gathering Interest [ 11772 ]

Thiago Masutti made changes - 12/Nov/2021 5:03 PM

Description

Original: h3. Problem Definition Since groups synchronized to Atlassian applications can be used to assign permissions (project, space, etc), some group names from the IdP might not be easily recognized by users. It would be interesting to an Atlassian administrator to have the ability to map groups synchronized by JIT to internal groups, with different names. The same feature would be useful when configuring JIT with Azure AD. Azure AD would send only the group ID (_Azure Active Directory Group ObjectId_) through SAML. This feature would enable Azure AD customer to enable JIT in their instances. More details in [Configure group claims for applications with Azure Active Directory|https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims]. h3. Suggested Solution Provide a feature to map the name of groups synchronized from the IdP to new names. This is similar to a feature provided by other Marketplace Apps:  * [https://wiki.resolution.de/doc/saml-sso/latest/jira/further-configuration/transformations]

New: h3. Problem Definition Since groups synchronized to Atlassian applications can be used to assign permissions (project, space, etc), some group names from the IdP might not be easily recognized by users. It would be interesting to an Atlassian administrator to have the ability to map groups synchronized by JIT to internal groups, with different names. The same feature would be useful when configuring JIT with Azure AD. Azure AD would send only the group ID (_Azure Active Directory Group ObjectId_) through SAML. This feature would enable Azure AD customer to enable JIT in their instances. More details in [Configure group claims for applications with Azure Active Directory|https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims]. Note that {{sAMAccountName}} can be used for groups synchronized from on-prem AD, but not for groups created directly on Azure AD.  !screenshot-1.png|thumbnail! h3. Suggested Solution Provide a feature to map the name of groups synchronized from the IdP to new names. This is similar to a feature provided by other Marketplace Apps:  * [https://wiki.resolution.de/doc/saml-sso/latest/jira/further-configuration/transformations]

Thiago Masutti made changes - 12/Nov/2021 5:03 PM

Attachment

New: screenshot-1.png [ 413349 ]

Collapse comment: Sung Cha added a comment - 29/Jul/2021 1:08 PM, Edited by Sung Cha - 29/Jul/2021 1:12 PM

Sung Cha added a comment - 29/Jul/2021 1:08 PM - edited

1. Set it like the SS below. (edit: adding in more text as I am not sure if the SS showing)
   1. Add a new group claim in the AAD SSO / Enterprise App
   2. Select "Groups assigned to the application"
   3. Check "Customize the name of the group claim" in Advanced Options
   4. Type in "groups" in the "Name (required)" field.  This must match what you put in for the group attribute name in the JIT section.  Case matters.
   5. Make sure Namespace blank.  JIT is just looking for "groups", not the long http://schemas.../groups, etc...
2. Add the AAD group to the user role in the SSO / Enterprise App.
3. 3. Have the group precreated in Jira, and also give it rights to the application and/or project in advance. 
4. Add user(s) to the group and test. 

 

We have it working like this with AADSSO and JIT.

 

Expand comment: Sung Cha added a comment - 29/Jul/2021 1:08 PM, Edited by Sung Cha - 29/Jul/2021 1:12 PM

Sung Cha added a comment - 29/Jul/2021 1:08 PM - edited Set it like the SS below. (edit: adding in more text as I am not sure if the SS showing) Add a new group claim in the AAD SSO / Enterprise App Select "Groups assigned to the application" Check "Customize the name of the group claim" in Advanced Options Type in "groups" in the "Name (required)" field.  This must match what you put in for the group attribute name in the JIT section.  Case matters. Make sure Namespace blank.  JIT is just looking for "groups", not the long http://schemas.../groups, etc... Add the AAD group to the user role in the SSO / Enterprise App. 3. Have the group precreated in Jira, and also give it rights to the application and/or project in advance.  Add user(s) to the group and test.    We have it working like this with AADSSO and JIT.  

Thiago Masutti made changes - 02/Apr/2021 8:07 PM

Summary

Original: As an administrator I would like to transform JIT synchronized groups names

New: As an administrator I would like to transform JIT synchronized groups names (aka group name mapping)

Load more older events