Configure customer provisioning with an identity provider
You can connect one identity provider and configure single sign-on and/or provisioning for your customers (Jira Service Management) when you subscribe to Atlassian Guard Standard.
The ability to provision Jira Service Management customers is available for people in an early access program (EAP). This feature will be available to everyone soon.
The System for Cross-domain Identity Management (SCIM) can integrate an external user directory with Jira Service Management to provision customers outside your organization. This page describes how to configure SCIM to provision customers for Jira Service Management.
If you plan to provision and sync users or employees in your organization as Jira Service Management customers, do not follow the instructions, because these users use Atlassian accounts. Read about how user provisioning works in your organization
Who can do this? |
Before you begin
Here’s what you must do before you can provision customers to your Jira Service Management site:
Subscribe to Atlassian Guard Standard from your organization. Understand Atlassian Guard
Make sure you're an admin for an Atlassian organization.
Make sure you're a Jira admin or product admin for Jira Service Management.
Add an identity provider directory to your Jira Service Management site. How to add an identity provider
Make sure you're a Jira admin to grant synced customers access to the help center and associated portals.
The instructions on this page only provide steps for configuring customer provisioning in Jira Service Management. Your identity provider may provide setup instructions for what to do from their side. Go to the instructions for Atlassian’s supported identity providers
What is provisioning with SCIM?
We support provisioning using the System for Cross-domain Identity Management (SCIM), and this feature uses the SCIM 2.0 version of the protocol.
Before you set up provisioning, we recommend you:
Create test accounts and groups in your identity provider to prevent existing customers from losing access to your help center and portals.
When you connect your identity provider and sync for the first time, you can use these test accounts and groups to ensure everything works.
After setup is complete, you can:
Manage users’ email addresses and group membership from your identity provider
Update synced customers and customer organizations to automatically access your help center and associated portals. Note that users and groups will sync to Jira Service Management as customers and organizations
Connect an identity provider with SCIM provisioning
After you set up user provisioning, make sure you store the SCIM base URL and API key values. Learn which identity providers we support
To set up customer provisioning:
From your organization at Atlassian Administration, select Apps.
Under Sites and products, select the site you want to configure the provisioning for.
Under Jira Service Management, select Portal-only customers.
Select (more options) > Identity providers.
Select an identity provider directory or create a new one.
Select Set up provisioning and follow the on-screen instructions.
From the Get provisioning credentials page, copy the values for SCIM base URL and SCIM API key.
View API key expiration date.
Save your SCIM configuration.
In early January of 2025, we automatically set SCIM API keys to expire after one year when you:
set up provisioning
regenerate a SCIM API key for your identity provider directory
Supported identity providers
Your SCIM setup depends on the identity provider. The Atlassian support team can provide setup instructions for supported identity providers.
Your identity provider may provide setup instructions for what to do from their side.
You’re not able to use your identity provider’s pre-configured Atlassian Cloud applications or apps to configure SCIM for customers. Apps are designed to work with SCIM for Atlassian accounts.
The exact steps and terminology may vary depending on your specific identity provider, please refer to the provider’s documentation or support resources for detailed guidance if needed.
To integrate a generic or custom application with your chosen identity provider:
Log in to your chosen identity provider account.
Look for the option to create your own application.
Once inside the application creation area, search for the option to integrate any other application not listed in the app gallery or catalog.
Select this option to proceed with the configuration process.
Here are setup instructions for some of the commonly used identity providers:
Identity provider | Setup instructions |
|---|---|
Okta | |
Auth0 | |
CyberArk (Idaptive) | |
Microsoft Entra ID (formerly known as Azure AD) | |
OneLogin | |
PingFederate |
Configure the portal access for customer organizations
To allow portal access to customers and customer organizations provisioned from your identity provider, you need to add synced customer organizations to the relevant Jira Service Management projects.
To view and manage synced customer organizations on your Jira Service Management site:
Go to Settings ( ) > Products > Jira Service Management > Organizations.
Customer organizations that are provisioned from an identity provider will show Synced under the Source column.
Select the organization name to open the organization detail page that shows all the customers belonging to that organization.
Read more about grouping customers into organizations
To add a customer organization to a Jira Service Management project:
From your service project, go to Customers.
Select Add organizations.
Add a new or existing organization by entering its name and selecting it in the dropdown.
Select Add.
If Customer service management is enabled in your project, follow these steps to add an organization:
From your service project, go to Organizations.
Select Add organization.
Add a new or existing organization by entering its name and selecting it in the dropdown.
Select Add.
Was this helpful?