If LDAP and User Sync are no options for you, SAML SSO for Server and Data Center also gives you the option to use Just In Time (JIT) provisioning.
JIT creates and updates users on-the-fly via the SAML attributes when they log in into your Atlassian Server or Data Center product (see Create or update users through SAML Attributes).
Setting up JIT is more effort then LDAP or User Sync, but since it uses SAML attributes it is always an option to lower your administration effort.


  • Users will only be created when needed.
  • Users also can be updated.
  • It is also possible to send group memberships via SAML attributes, thus updating the groups of a user. But there are limitations for Azure AD (see Disadvantages)
  • Lowers your administration efforts in comparison to manage users manually.


  • You cannot disable users.
  • Similar to User Sync, users are also not able to login with their password if single sign on fails for any reason.
  • Users only get created after their first log in, thus you cannot assign users to projects or tickets before their first login.
  • If you modify your user at your IdP, users only get updated after they log out and log in again. In consequence, when you assign or remove groups from users or change their profile, your Atlassian product will only be update the users, when they log out and log in again.
  • For Azure AD, there is also a special restriction:
    • In contrast to other IdPs, Azure AD only transmits group ids via the SAML attributes, e.g. "42" instead of the group name. If you only have a small amount of groups and you do not really add new groups often, you can use the group transformation feature of our SAML plugin to create a special group mapping. E.g. "42" then can be mapped to a group name. But, this is only feasible when you only have a low number of groups, since you have to create the group transformations for each group by hand.
  • JIT is not supported in FeCru.