Below, you can find information to setup Keycloak with our SAML SSO app for Jira Server, Jira Data Center, Confluence Server, Confluence Data Center, Bitbucket Server, Bitbucket Data Center, and other Atlassian products.

If you need help or have questions, you can contact us via our help desk or book a free screen share session at

Step-by-Step Guides with SAML2

Based on the user provisioning model you need, pick one of the following step-by-step guides.
See a comparison of each model in the table at the page bottom.

Some important notes:

Step-by-Step Guides with OpenID Connect

Some important notes:

Which Step-by-Step Guide should you pick?

Depending on your Atlassian product, you can choose from different user provisioning models. 

In general, with Keycloak we support the following ways for user provisioning:

  1. Just in Time Provisioning allows to create and update users on-the-fly when they log in. See our detailed article for JIT.
  2. For Manual User Management, the administrator has to create and update users on Okta and your Atlassian product by hand
    We do not recommend it. See our article for Manual User Management.

As of July 15th, 2019, Keycloak is supported by User Sync so that users can be periodically synced from it,
but also when they log in for the first time into your Atlassian Server or Data Center product. Read our detailed article for User Sync.

Usually we recommend User Sync for user provisioning, a documentation how to use it will be released very soon.

Model/FunctionAdmin EffortPro's and Con's
Just in Time Provisioning


  • Creates & Updates users based on information in the SAML Response during Login
  • Users are only created on their first Login.
  • Users & Groups are updated only during SAML authentication
Manual User ManagementHigh 

  • Here no sync between Keycloak and Atlassian application happens
  • Needs manual maintenance of two user bases (or is done via custom developments).

User Sync

  • Uses Keycloak API to perform regular sync
  • Users and groups created & updated shortly after done in Keycloak
  • Users in Atlassian applications can be disabled as a result of a sync, saving licenses
  • Additional attributes can be written to Jira user properties