Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
JIT and Azure AD: Sending Groups via SAML Attributes
Overview
In this article you learn how to transmit group with Just In Time Provisioning. Since Azure AD only supports sending group ids instead of group names, you have to create a group transformation for each group.
Configure Azure AD for Transmitting Groups via SAML Attributes
With the standard settings, Azure AD does not send group ids for Just In Time Provisioning. To change this, do the following:
Click on "Azure Active Directory" in the left panel and then click on "App registrations (Preview)".
Next, click on "All Applications" and search for the Enterprise Application you have created for the SAML SSO app.
Click on the Enterprise Application you have created.
Next, click on "Manifest" in the left panel.
Click on "Download" and save the file to your computer.
Open the file with a text editor of your choice and search for the line <<"groupMembershipClaims": null>>.
Substitute <<null>> with <<"All">> (with the " " quotation marks). Save the file. The file should now look like this:
For the next step, go to your web browser and click on "Upload".
Click the blue folder icon and upload the file you have edited before from your computer.
Click "Save". Now, Azure AD will send the group ids of a user when logging in. Since only ids will be sent, you have to create a transformation rule per group.
Configure the SAML SSO app for JIT with Azure AD
Now, scroll down in the Wizard to access the group settings. For the "Group Attribute", use "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups".
Depending on your Atlassian product, it is a good idea to set (default) user group(s) for new users, such as "jira-software-users" for Jira or "confluence-users" for Confluence. Without assigning new users to the product specific group, they are not able to use your Atlassian product. Also, feel free to activate any option which suits your needs.
To create groups automatically which do not exist in your Atlassian product, activate "Add Non Existing Groups".
Click "Save & Next" to continue.
Click "Skip test & configure manually".
Click "OK". Now, the wizard will be closed and you can see the full configuration the SAML SSO app.
Scroll down in the configuration to "Group settings". Since Azure AD only transfers group ids and not group names, group transformations must be created when youif want to have group names instead of group ids. Click on "Add one" to add a new group transformation.
To create a transformation for a group id to a name, you need the group id. The id of a group can be found in Azure AD on the page of the group. Copy the Object ID.
Back in your Atlassian product, paste the Object ID into the textfield next to "Replace" and the group name into the textfield next to "with". Now, when Azure sends the group ID, it will be automatically transformed to the the specified group. If you want to transform multiple group ids, press the plus button to add more transformations.
Now scroll up to the beginning of the page and click "Save settings".
