This article shows three different ways to manage users in JIRA/Confluence. All types works perfectly together with our add-ons to provide Single Sign On.

In the order of best-practice that we see many of our customers implement in:

1.  External LDAP synchronisation to sync & update Users 

The preffered way from our perspective, is always to using a LDAP directory in JIRA, connected to the specific LDAP Server (e.g. Active Directory).

• There is only one single User management & provisioning side. No further administration are needed in JIRA/Confluence/Bitbucket. 
• Proactive creation/update of Users and Groups on regular intervals (sync). 
• Users have the ability/fallback to login with their password if the Single Sign On is disabled (due to failure for example).
• It is reducing the user management efforts substantially.

2.  User Creation&Update through the add-on with the JIRA Internal Directory

Customers who cannot use LDAP sync (due to connectivity, policy or because they use another IdP) often use our Add-on to create & update Users in the internal directory. Compared to the LDAP directory, using the internal directory needs more work, because you need to take care of both sides (JIRA Internal directory and LDAP Server). 

Furthermore, the User creation & update can only be done during every login. This means for example: An User will not be available in JIRA to assign a task before his first login. Or he may not get a new group assigned before he logs out & back in again.

This type is still preferred compared to manual User creation by many customers, but No 1 above is superior.

3.  Manual User management

Still what a few of our customer do but it's usually only chosen for legacy or for policy restriction reasons.