Due to technical limitations, License Optimizer can't add users to the group providing application access during authentication with SSO.
This can only be done by configuring the SSO app you are using.

It doesn't necessarily have to be a SAML SSO app, it could also be one using the OpenID or OAuth protocol.
The important thing is that the app needs to support adding groups to a user during sign-on since we need to

  • add the users to the Allowed Users Group (only required for new users or existing ones who have never been optimized so far but should be)
  • add the users to the License Group

The following sections describe how to do that, depending on the authentication app and its provisioning method.
We can't explain that in detail for every app on the marketplace, so if you have any questions, don't hesitate to reach out and contact our support for help.

Atlassian Built-In SSO

Atlassian SSO only supports adding users to groups during login when configuring it to use Just-in-time user provisioning
You need to make sure that the new group providing application access (configured in the License Group step) is existing on the identity provider side and that users are members of it.
The Allowed Users Group only needs to be added for new users created during sign-on and for those you want to optimize.

Our Resolution SSO App

Assigning a group to users during SSO can be done in various ways and depends on whether you are using SAML SSO with Just-In-Time Provisioning or with User Sync.
Even if you currently didn't configure any user- and group provisioning at all, you can do that. In that latter case, please refer to the next part already.

If you can't or don't want to add everybody logging in with SSO to have application access, you need to configure the Attribute Mapping options. 
Please refer to this section on how to do that.

When using User Sync for provisioning already, please refer to this section.


Using Update from SAML attributes (Just-In-Time Provisioning)

To enable or change these settings, please do the following:

  • Open the SSO configuration page and the identity provider tab
  • Scroll to the User Creation and Update section
  • make sure that User Update Method is set to Update from SAML attributes
  • a bit further down below User Creation and Update from SAML Attributes,
    make sure that Update users not created by this app is checked (1) as pictured below

A bit of background here: (1) makes sure that even users who have not been created during login with our SAML SSO app are updated/ added to the group.
(2) and (3) can stay as are because if you didn't create users so far, you don't need to start with that now just for the license optimizer.

The final step is to add both the Allowed Users Group and the License Group to the  

Should you only want to optimize a subset of your users signing in with SSO, you should only add the License Group and manage the members of the Allowed Users Group yourself.

Using Update from SAML attributes (Just-In-Time Provisioning) with Group Transformations

SAML SSO >= 4.x

  • Open the SSO configuration page and the identity provider tab
  • Scroll to the User Creation and Update section
  • make sure that User Update Method is set to Update from SAML attributes


Transformations can be applied in the attribute mapping table which can also be found in the User Creation and Update section.
It provides control about how to deal with groups sent by the IdP. Since users can be in different groups, you can conditionally assign them as required.

If the Groups attribute is not mapped yet, you'll see Map instead of Edit in the picture below.
(1) the group attribute sent by your IdP might be a different one for you


By editing the mapping you can transform group names sent in the SAML response into the license group name (i.e. if you can't create the group for some reason with that name on the IdP)
You can even transform one group name from the IdP into one or more other groups using Groovy code (read here, only SAML SSO 4 and later). 

However, it is very likely that a transformation with a regular expression will suffice.
After clicking the Edit or Map button for the group mapping first, enable Regular Expression and click Edit below it:

Click Add Item +

Transform the group name on your IdP (1) into the License Group name (2):

SAML SSO <= 3.6.5

  • Open the SSO configuration page and the identity provider tab
  • Scroll to the User Creation and Update section
  • make sure that User Update Method is set to Update from SAML attributes

Group transformations can be applied in the Group Settings section:

This is all you need to do to make sure that users are getting added to the License Group during login.
Remember:

You only need to add users to the License Group and the Allowed Users Group, if you are creating users during login.


Provisioning With SAML SSO and User Sync

When using User Sync as part of SAML SSO here is what you need to do:

  • change the User Update Method in your SAML SSO configuration so that you can assign the License Group during Single Sign-On
  • make sure that the License Group is not removed by User Sync during scheduled synchronization
  • make sure the Allowed Users Group is assigned by User Sync to the users you want to optimize

Please refer to the version-specific instructions below, we are using an Azure AD User Sync connector in our examples but it could be any of the other connector types.

Why do we need to apply these changes?

  • License Optimizer can only optimize users it knows by name
  • before login, this information is not available yet
  • with the SAML SSO change, we add the user logging in to the group providing application access
  • with the User Sync changes explained below, we also make sure that the group is not removed again during the scheduled sync and let License Optimizer deal with that instead

SAML < 5

For the few SAML SSO 4.x release some of the settings might look slightly different.

  • First, adjust your SAML SSO configuration by scrolling down to User Creation and Update in the Identity Providers tab of the config
  • Change the User Update Method to Update with UserSync-Connector and apply SAML attributes

  • make sure that under User Creation and Update from SAML Attributes below the above section is as pictured below
    • you don't need to create new users, User Sync does that already
    • just check the Update non-SAML Provisioned Users box

  • scroll further down to Group Settings and add the License Group under User Groups:

  • save the SAML SSO configuration changes


Now it's time to adjust the User Sync connector.

  • edit your User Sync connector and click on the Show Advanced button
  • scroll down to Local Group Management and add the License Group to the Keep these Groups list
    • Optional: in the screenshot below the connector also adds the Allowed Users Group to everybody being synced, that might be different for you if you can't/ want to optimize everybody being synced 
    • you can skip that if you already have the wildcard expression .* added
    • Optional: You can read more about group management with User Sync in our knowledge base




  • save your the User Sync connector changes

SAML >= 5

  • First, adjust your SAML SSO configuration by scrolling down to User Creation and Update in the Identity Providers tab of the config
  • Change the User Update Method to Update with UserSync-Connector and apply SAML attributes:


  • scroll a bit down and make sure that under User Creation and Update from SAML Attributes below the above section is as pictured below
    • you don't need to create new users, User Sync does that already
    • just check the Update non-SAML Provisioned Users box



    • scroll a bit down to Group Setting and add the License Group under Always add users to these groups:


Now it's time to adjust the User Sync connector.

  • edit your User Sync connector and switch to the Provisioning Settings tab
  • scroll down to the Group Management/ Never Remove Users From These Groups field and add the License Group to it
    • you can skip that if you already have the wildcard expression .* added



  • Optional: adding users to the Allowed Users Group depends on whether you want to optimize everybody being synced or not
    • if you want, add the Allowed Users Group group to Always Assign Users to Certain Groups at the top of the Provisioning Settings tab



    • if not, you need to use the attribute mapping of the User Sync connector and its Group attribute to conditionally add the group to some of your users
  • save your changes