User DeactivatorUser Deactivator
Try For Free

License Optimizer And SSO

Due to technical limitations, License Optimizer can't add users to the group providing application access during authentication with SSO.
This can only be done by configuring the SSO app you are using.

It doesn't necessarily have to be a SAML SSO app, it could also be one using the OpenID or OAuth protocol.
The important thing is that the app needs to support adding groups to a user during sign-on since we need to

  • add the users to the Allowed Users Group (only required for new users or existing ones who have never been optimized so far but should be)

  • add the users to the License Group

The following sections describe how to do that, depending on the authentication app and its provisioning method.
We can't explain that in detail for every app on the marketplace, so if you have any questions, don't hesitate to reach out and contact our support for help.

Atlassian Built-In SSO

Atlassian SSO only supports adding users to groups during login when configuring it to use Just-in-time user provisioning
You need to make sure that the new group providing application access (configured in the License Group step) is existing on the identity provider side and that users are members of it.
The Allowed Users Group only needs to be added for new users created during sign-on and for those you want to optimize.

Our Resolution SSO App

Assigning a group to users during SSO can be done in various ways and depends on whether you are using SAML SSO with Just-In-Time Provisioning or with User Sync.
Even if you currently didn't configure any user- and group provisioning at all, you can do that. In that latter case, please refer to the next part already.

If you can't or don't want to add everybody logging in with SSO to have application access, you need to configure the Attribute Mapping options. 
Please refer to this section on how to do that.

When using User Sync for provisioning already, please refer to this section.


Using Update from SAML attributes (Just-In-Time Provisioning)

To enable or change these settings, please do the following:

  • Open the SSO configuration page and the identity provider tab

  • Scroll to the User Creation and Update section

  • make sure that User Update Method is set to Update from SAML attributes

  • a bit further down below User Creation and Update from SAML Attributes,
    make sure that Update users not created by this app is checked (1) as pictured below

A bit of background here: (1) makes sure that even users who have not been created during login with our SAML SSO app are updated/ added to the group.
(2) and (3) can stay as are because if you didn't create users so far, you don't need to start with that now just for the license optimizer.

image2021-6-15_17-15-46.png

The final step is to add both the Allowed Users Group and the License Group to the  Always add users to these groups group picker:

image2021-6-16_10-20-47.png


Should you only want to optimize a subset of your users signing in with SSO, you should only add the License Group and manage the members of the Allowed Users Group yourself.


Using Update from SAML attributes (Just-In-Time Provisioning) with Group Transformations

SAML SSO >= 4.x

  • Open the SSO configuration page and the identity provider tab

  • Scroll to the User Creation and Update section

  • make sure that User Update Method is set to Update from SAML attributes


Transformations can be applied in the attribute mapping table which can also be found in the User Creation and Update section.
It provides control about how to deal with groups sent by the IdP. Since users can be in different groups, you can conditionally assign them as required.

If the Groups attribute is not mapped yet, you'll see Map instead of Edit in the picture below.
(1) the group attribute sent by your IdP might be a different one for you

image2021-6-16_13-20-24.png

By editing the mapping you can transform group names sent in the SAML response into the license group name (i.e. if you can't create the group for some reason with that name on the IdP)
You can even transform one group name from the IdP into one or more other groups using Groovy code (read here, only SAML SSO 4 and later). 

However, it is very likely that a transformation with a regular expression will suffice.
After clicking the Edit or Map button for the group mapping first, enable Regular Expression and click Edit below it:

image2021-6-14_21-53-35.png

Click Add Item +

image2021-6-14_21-54-11.png

Transform the group name on your IdP (1) into the License Group name (2):

image2021-6-16_13-33-5.png

SAML SSO <= 3.6.5

  • Open the SSO configuration page and the identity provider tab

  • Scroll to the User Creation and Update section

  • make sure that User Update Method is set to Update from SAML attributes

Group transformations can be applied in the Group Settings section:

image2021-6-16_13-40-12.png

This is all you need to do to make sure that users are getting added to the License Group during login.
Remember:

You only need to add users to the License Group and the Allowed Users Group, if you are creating users during login.


Provisioning With User Sync

When using User Sync as part of SAML SSO here is what you need to do: 

  • make sure that the License Group is not removed during synchronization

  • make sure the Allowed Users Group is assigned to the users you want to optimize

Read below how to do that. 

SAML < 5 / User Sync < 2

  • edit your User Sync connector and click on the Show Advanced button

  • scroll down to Local Group Management and add the License Group to the Keep these Groups list

    • in the screenshot below the connector also adds the Allowed Users Group to everybody being synced, that might be different for you if you can't/ want to optimize everybody being synced 

    • you can skip that if you already have the wildcard expression .* added

      image2021-6-17_9-19-0.png

  • save your settings

You can read more about group management with User Sync in our knowledge base.

SAML >= 5 / User Sync >= 2

  • edit your User Sync connector and switch to the Provisioning Settings tab

  • scroll down to the Group Management/ Never Remove Users From These Groups field and add the License Group to it

    • you can skip that if you already have the wildcard expression .* added

      image2021-6-17_9-25-8.png



      image2021-6-17_9-25-56.png

  • adding users to the Allowed Users Group depends on whether you want to optimize everybody being synced or not

    • if you can, add the Allowed Users Group group to Always Assign Users to Certain Groups at the top of the Provisioning Settings tab

      image2021-6-17_9-31-44.png



    • if not, you need to use the attribute mapping and its Group attribute to conditionally add the group to some of your users

  • save your settings

You can read more about group management with User Sync in our knowledge base.


This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other