SCIM Connector and AWS Authentication App

For the SCIM connector to work properly, your identity provider must be able to communicate with the SCIM endpoints provided by User Sync.

This means, that the AWS load balancer must not authenticate this connection to your instance, because otherwise the request from your identity provider will be redirected to the login page of the identity provider.

Additionally, this also means that there is a path to the instance for which the connection is not authenticated.

To make a SCIM connector work in this scenario, you

must get the connector id of the connector,
create a second load balancer rule that does not authenticate when the identity provider tries to connect to the instance's SCIM endpoints.
and this rule must be above the other rule to not trigger the authentication.

See the following for an example:

We created a second rule that forwards to the instance without authentication when the Path Pattern is

/rest/samlsso-admin/1.0/usersync/connector/<connector-id>/*

CODE

This makes sure that all SCIM endpoints User Sync provides are reachable from the outside. Please note that instead of using the wildcard "*" you can also create or-ed rules for all endpoints described by the SCIM standard.

To find the connector id (and/or the URL), go to User Sync and click Edit for your connector:

SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products. Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.

SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products.

Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.