The below explanation and configuration applies to the SAML Authenticator.
Group memberships using NTLM or Kerberos depend on your user directory settings (default Atlassian application User Management functionality).
Just-in-time (JIT) user provisioning with EasySSO SAML authenticator enables you to centrally manage group memberships through your SAML Identity Provider (IdP) and for changes to propagate to all systems connected via SAML, without manual intervention.
It typically saves a lot of manual administration work in provisioning and updating users and fulfils security and compliance needs.
There are a number of options to consider for JIT user provisioning when using the SAML authenticator in EasySSO:
- Create the user account when they first log in to the application (e.g Jira or Confluence) via your SAML IdP
- Add the user to groups defined by your SAML IdP on their first login
- Update groups on every successful login including adding and removing membership
- Create any groups defined by IdP but not yet present in the application
These options can be configured to meet your performance, security and compliance requirements. If you are unsure which configuration is best for your situation, feel free to contact our 24x7 support desk.
To reach the SAML Configuration:
Go to Manage Apps > TechTime Apps > EasySSO > SAML
IdP Specific Configuration
EasySSO takes the groups from an attribute (a.k.a. "claim") in the SAML login response.
By default, we expect this information to be in the attribute named "urn:oid:2.5.4.31" (so the IdP needs to be configured to send a claim/attribute with this name), however, this mapping can be re-configured in the "Attributes" tab of the EasySSO's SAML configuration page (i.e. you can do the opposite – let the IdP send the claim with whatever default name it prefers, and instruct EasySSO to look for that name):
EasySSO expects this attribute to contain multiple values, each with name of the user's group as a string.
Your IdP will likely need specific configuration to have groups names sent correctly to EasySSO:
- Keycloak - you will need to add a mapper with type "Group List", Single Group Attribute: ON, Full Group Path: OFF
- Azure AD - you will need to convert Azure groups to EasySSO application roles: Configure EasySSO SAML Groups with Azure AD
Create a User the first time they log in
To automatically provision (i.e. create) the user when they first log in, check "Create User" checkbox in the "New User" section.
By default, the username will be determined by the value of the "UID Attribute" claim/attribute that the SAML IdP needs to send. The attribute that is used for this can be configured in the "Attributes" tab.
You can optionally use a regex rule to parse the username from the attribute. See Username Parsing for more information.
You may want to check "Use Default Group" to add some groups on the first login so that the user has enough permissions to use the application. Usually these are "local" groups, not the ones that IdP manages. This is targeted at scenario when a successful authentication on IdP side is enough to allow access to the application. You can select a combination of default groups to add in the "" field. The list will present all groups known to the application at the time of configuration.
For example, the below configuration will add the user to "jira-software-users" and "jira-servicedesk-users" when they first login via SAML:
Add the user to IdP defined groups the first time they log in
If you want the user to be added to several groups when they first log in, based on some attribute sent by your SAML IdP, you can check the "Use SAML Groups" option.
If you are using groups defined by your IdP, it is worth verifying that your attribute mapping for groups is correct (in the "Attributes" tab)
When groups are sent by the SAML IdP, but not found in the application, EasySSO can optionally create these groups in the application, and add the user to those groups. To enable this, check "Create SAML Groups".
If there are some groups sent by the IdP, that you do not want to be created, or added to the application by EasySSO, you can add these to the "Ignored Groups" field. A common use case is to exclude "confluence-administrators" from being managed by the IdP (since it gives one super-admin powers, and only give this out locally).
The below configuration will add users to groups provided by the IdP (and create these groups in the application if they do not exist), while ignoring the groups (if sent by IdP): "confluence-admins" and "stash-admins"
Update groups on every successful login
If you would like user's groups to be completely determined by your IdP, EasySSO can update user groups based on the SAML response for every successful login.
To enable this, select the "Re-sync with SAML Groups" option. You can also ignore specific groups sent by your IdP by adding them to the "Ignored Groups" field. As mentioned above, a common use case is to exclude "confluence-administrators" from being managed by the IdP (since it gives one super-admin powers, and only give this out locally).
It is also worth ensuring that the attribute mapping for "Groups" in the attributes tab is correctly configured for your IdP.
The below configuration will:
- Add the user to SAML defined groups on the first login
- Create the groups if they do not exist already
- Add or Remove the user from the relevant groups on any subsequent login
- Ignore the following groups if sent by the IdP: "confluence-admins" and "stash-admins"