Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
License Optimizer And SSO
Due to technical limitations, License Optimizer can't add users to the group providing application access during authentication with SSO.
This can only be done by configuring the SSO app you are using.
It doesn't necessarily have to be a SAML SSO app; it could also be an app that uses the OpenID or OAuth protocol.
The important thing is that the app needs to support adding groups to a user during sign-on since we need to
- add the users to the Allowed Users Group (only required for new users or existing ones who have never been optimized so far but should be)
- add the users to the License Group
The following sections describe how to do that, depending on the authentication app and its provisioning method.
We can't explain that in detail for every app on the marketplace, so if you have any questions, don't hesitate to reach out and contact our support for help.
Atlassian Built-In SSO
Atlassian SSO only supports adding users to groups during login when configuring it to use Just-in-time user provisioning. If that's the case, you must ensure that the new group providing application access (configured in the License Group step) exists on the identity provider side and that users are members. The Allowed Users Group only needs to be added for new users created during sign-on and for those you want to optimize.
Exceptions
There is still a chance License Optimizer might work with Atlassian SSO, even without using the above method, provided your IDP:
- Doesn't send an encrypted response
- The NameID attribute has the name/ looks like this <saml2:NameID>username@company.com</saml2:NameID>
- As of January 23, 2025, we are evaluating extending the NameID attribute types, i.e., to <NameID>username@company.com</NameID> as used in Entra/ Azure responses
- The NameID in the SAML response contains the username the user has in Jira or Confluence so our app can add the user to the license group.
The other exception is Jira, which has JSM installed. JSM exposes a customer portal, and we can detect who the user is because of how authentication is handled.
Be careful relying on that because uninstalling JSM again would impact the SSO login of users still accessing Jira for Jira Software.
If you have doubts about using License Optimizer with Atlassian SSO, please contact our support team.
Our Resolution SSO App
Assigning a group to users during SSO can be done in various ways and depends on whether you are using SAML SSO with Just-In-Time Provisioning or with User Sync.
You can do that even if you haven't configured any user- and group-provisioning. In that latter case, please refer to the next part already.
If you can't or don't want to add everybody logging in with SSO to have application access, you need to configure the Attribute Mapping options.
Please refer to this section on how to do that.
When using User Sync for provisioning already, please refer to this section.
Using Update from SAML attributes (Just-In-Time Provisioning)
To enable or change these settings, please do the following:
- Open the SSO configuration page and the identity provider tab
- Scroll to the User Creation and Update section
- make sure that User Update Method is set to Update from SAML attributes
- a bit further down below User Creation and Update from SAML Attributes,
make sure that Update users not created by this app is checked (1) as pictured below
Here is a bit of background: (1) Make sure that even users who have not been created during login with our SAML SSO app are updated/ added to the group.
(2) and (3) can stay as are because if you haven't created users so far, you don't need to start with that now just for the license optimizer.
The final step is to add both the Allowed Users Group and the License Group to the
Should you only want to optimize a subset of your users signing in with SSO, you should only add the License Group and manage the members of the Allowed Users Group yourself.
Using Update from SAML attributes (Just-In-Time Provisioning) with Group Transformations
SAML SSO >= 4.x
- Open the SSO configuration page and the identity provider tab
- Scroll to the User Creation and Update section
- make sure that User Update Method is set to Update from SAML attributes
Transformations can be applied in the attribute mapping table, which can also be found in the User Creation and Update section.
It provides control over how to deal with groups sent by the IDP. Since users can be in different groups, you can conditionally assign them as required.
If the Groups attribute is not mapped, you'll see Map instead of Edit in the picture below.
(1) the group attribute sent by your IDP might be a different one for you
By editing the mapping, you can transform group names sent in the SAML response into the license group name (i.e., if you can't create the group for some reason with that name on the IdP)
You can even transform one group name from the IdP into one or more other groups using Groovy code (read here, only SAML SSO 4 and later).
However, a transformation with a regular expression will likely suffice.
After clicking the Edit or Map button for the group mapping first, enable Regular Expression and click Edit below it:
Click Add Item +
Transform the group name on your IdP (1) into the License Group name (2):
SAML SSO <= 3.6.5
- Open the SSO configuration page and the identity provider tab
- Scroll to the User Creation and Update section
- make sure that User Update Method is set to Update from SAML attributes
Group transformations can be applied in the Group Settings section:
This is all you need to do to ensure that users are getting added to the License Group during login.
Remember:
You only need to add users to the License Group and the Allowed Users Group if you are creating users during login.
Provisioning With SAML SSO and User Sync
When using User Sync as part of SAML SSO, here is what you need to do:
- change the User Update Method in your SAML SSO configuration so that you can assign the License Group during Single Sign-On
- make sure that User Sync does not remove the License Group during scheduled synchronization
- make sure User Sync assigns the Allowed Users Group to the users you want to optimize
Please refer to the version-specific instructions below, we are using an Azure AD User Sync connector in our examples but it could be any of the other connector types.
Why do we need to apply these changes?
- License Optimizer can only optimize users it knows by name
- before login, this information is not available yet
- with the SAML SSO change, we add the user logging in to the group providing application access
- with the User Sync changes explained below, we also make sure that the group is not removed again during the scheduled sync and let License Optimizer deal with that instead
SAML < 5
For the few SAML SSO 4.x release some of the settings might look slightly different.
- First, adjust your SAML SSO configuration by scrolling down to User Creation and Update in the Identity Providers tab of the config.
- Change the User Update Method to Update with UserSync-Connector and apply the SAML attributes.
- make sure that under User Creation and Update from SAML Attributes below the above section is as pictured below
- you don't need to create new users; User Sync does that already
- just check the Update non-SAML Provisioned Users box
- Scroll further down to Group Settings and add the License Group under User Groups:
- Save the SAML SSO configuration changes.
Now, it's time to adjust the User Sync connector.
- edit your User Sync connector and click on the Show Advanced button
- scroll down to Local Group Management and add the License Group to the Keep these Groups list
- Optional: in the screenshot below the connector also adds the Allowed Users Group to everybody being synced; that might be different for you if you can't/ want to optimize everybody being synced
- you can skip that if you already have the wildcard expression .* added
- Optional: You can read more about group management with User Sync in our knowledge base
- Save your User Sync connector changes.
SAML >= 5
- First, adjust your SAML SSO configuration by scrolling down to User Creation and Update in the Identity Providers tab of the config.
- Change the User Update Method to Update with UserSync-Connector and apply SAML attributes:
- scroll a bit down and make sure that under User Creation and Update from SAML Attributes below the above section is as pictured below
- you don't need to create new users; User Sync does that already
- just check the Update non-SAML Provisioned Users box
- Scroll a bit down to Group Setting and add the License Group under Always add users to these groups:
Now, it's time to adjust the User Sync connector.
- edit your User Sync connector and switch to the Provisioning Settings tab
- scroll down to the Group Management/ Never Remove Users From These Groups field and add the License Group to it
- you can skip that if you already have the wildcard expression .* added
- you can skip that if you already have the wildcard expression .* added
- Optional: adding users to the Allowed Users Group depends on whether you want to optimize everybody being synced or not
- if you want, add the Allowed Users Group group to Always Assign Users to Certain Groups at the top of the Provisioning Settings tab
- If not, you need to use the attribute mapping of the User Sync connector and its Group attribute to add the group to some of your users conditionally.
- You can read more about group management with User Sync in our knowledge base
- You can read more about group management with User Sync in our knowledge base
- if you want, add the Allowed Users Group group to Always Assign Users to Certain Groups at the top of the Provisioning Settings tab
- Save your changes