Configure Atlassian Cloud user provisioning

Once you set up single sign-On (SSO), your next step as an administrator is to set up automated user provisioning. This lets you authorize, create, modify, or delete your user's identity once in G Suite. You can also see identity changes reflected in Atlassian.

Get the API Token and endpoint URL for the Atlassian Cloud application
  1. Sign in to your Atlassian Admin Console as an administrator.
  2. Open your Organization settings.
  3. Navigate to User Provisioning.
  4. Click Create a directory.
  5. Enter your directory name and click Create.
  6. Copy both the Directory base URL and API Key.
  7. Click Done.
Set up user provisioning for the Atlassian Cloud application
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Atlassian Cloud application.
  4. Click User provisioning.
  5. Click Set up user provisioning.
  6. In the Authorize dialog box, paste the API Key you copied from Atlassian Cloud, then click Next.
  7. Replace the Atlassian Cloud endpoint URL with the URL you copied from Atlassian Cloud that contains your unique ID.
  8. Click Next.
  9. In the Map attributes dialog box:
    1. Next to the selected cloud directory attribute, click Down Arrow to map to the corresponding Atlassian attribute. 
      Attributes marked with (*) must be mapped.

      Important: Ensure that the Atlassian "User department" attribute is mapped to the Cloud Directory attribute “Employee Details > Department”. Also, make sure the Department attribute is configured for your users in Google. This attribute must be present or user provisioning will fail.

    2. Click Next.
  10.  (Optional) In the Set provisioning scope dialog box, add a group to restrict provisioning to members of groups you define:
    1. Click the underscore and start entering your group name.
      A list of available groups appears. Selecting one adds it and opens another underscore to use to add another.
    2. If necessary, add more groups and choose a scope. 
    3. To remove any group you added, click Edit next to it.
  11. Once you’re done, click Finish.
  12. Review the information in the Provisioning summary dialog box, then click OK.
  13. Choose one of the following actions:
    • Click Activate provisioning.
    • If needed, first enable the Activate Provisioning button: 
      1. Set the app to On for everyone or On for some organizations
        If the app is set to Off, this choice is grayed out.
      2. Reload the page, then click Activate provisioning.
  14.  ​In the confirmation dialog box, click Activate.
Display user provisioning

Once provisioning is on, Google starts collecting usage information. You'll see the usage information section next to the User provisioning section. There won't be any numbers next to the event names until you enable provisioning.

The following event names provide the usage information for the last 30 days:

  • Users created
  • Users suspended
  • User failures

For more information, see Monitor user provisioning.

Edit provisioning scope

You may want to restrict the scope of provisioning to members of groups you define. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Atlassian Cloud application.
  4. Click User provisioning.
  5. Click Edit provisioning scope.
    A new Set provisioning scope window appears. 
  6. In the Set provisioning scope dialog box, add a group to restrict provisioning to members of groups you define:
    1. Click the underscore and start entering your group name. 
      A list of available groups appears. Selecting one adds it and opens another underscore for you to add another.
    2. If necessary, add more groups. 
    3. (Optional) To remove a group you added, next to it, click  Edit.
  7. Once you’re done, click Finish.

The next time you click Edit provisioning scope under the User provisioning section, the groups you added appear in the Set provisioning scope window. If you turned on the Atlassian application for a set of organizational units, the provisioning scope is restricted to those users in the added groups who are also members of those organizations.

Deactivate user provisioning

To disable user provisioning for the Atlassian application without losing all the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Atlassian Cloud application.
  4. Click User provisioning.
  5. Click Deactivate provisioning.
    A new Deactivate provisioning window appears.
  6. Click Deactivate
Define deprovisioning time frames

To define how long deprovisioning actions should be delayed before taking effect:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Open the Atlassian application.
  4. Select the User provisioning section.
  5. In this section, click Edit deprovisioning config.
    A new Deprovisioning configuration window appears.
  6. Choose how long deprovisioning actions should be delayed before taking effect. Select at least one of these options:
    1. When an app is turned off for the user, hard delete their account after [number of days].
    2. When a user is suspended on Google, hard delete their account after [number of days].
    3. When a user is deleted from Google, hard delete their account after [number of days].

      The amount of time before deprovisioning takes effect can be set to: within 24 hours or after one, 7, or 30 days.

      Tip: Always set more time before hard deleting a user's account than for suspending a user's account.
  7. Click Save to save your edited deprovisioning configuration.
Remove user provisioning

To disable user provisioning for the Atlassian application and remove all the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Atlassian Cloud application.
  4. Click User provisioning.
  5. Click Delete provisioning.
    A new Delete provisioning config window appears.
  6. Click Delete to both deactivate user provisioning and remove all the configuration information.
    Existing users on Atlassian Cloud will not be deprovisioned.
Was this helpful?
How can we improve it?