Problem

Users should be created and updated based on the attributes sent by the SAML or OIDC IdP during login (Just-in-Time provisioning). When a specific group is not sent by the IdP, the user should be disabled and the login should be denied.

Solution

Disabling a user during login when configuring Just in Time provisioning in the SAML configuration is not possible. The reason behind this limitation is the assumption that the IdP should not send a successful response at all if the user should not be allowed to log in. But this limitation does not apply when using a Usersync-connector to update the user during login.

Step 1: Create a Connector

In the User Sync configuration, add a connector of type Just-in-Time

Give it a name and select the directory

Go to the Provisioning Settings and map the attributes from the SAML response to the appropriate Jira attributes. 
In this example, the username comes in the SAML Name ID, the full name in fullname, Email in email and the user's groups in groups. The exact values depend on the IdP.
See (2.16.x) Just-in-Time Connector for more details.

The User active flag is configured using a Groovy-transformation.

In this example, the user should be active if the groups from the IdP contain the group jira-servicedesk-users.

Save the connector.

Step 2: Configure the Idp Settings

In the SAML configuration page, go to the IdP settings. In the Section User Creation and Update, select Update with UserSync-Connector.

Select the connector configured in Step 1

Enable the checkbox Allow connector to set the user's active state

Save the connector.

On the next login, the user should be disabled when the IdP is no longer sending the group jira-servicedesk-users.