Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Cleanup Behaviour and Scheduled Synchronization
In this article, we will describe the Sync Settings from User Sync Cleanup Behaviour and Scheduled Synchronization. The Cleanup Behaviour is the last step in the full sync process and happens after all users have been synchronized from the IdP. The remaining users that already exist in the User Sync directory but were not returned by the IdP anymore will be handled according to the chosen Cleanup Method. A user will not be returned by the IdP anymore, because:
- They get deleted in your IdP (e.g., Azure AD) → e.g., they left the company and the IdP-Team deleted the user
- they are not members of any required groups anymore → Required Groups
- they are dropped by a transformation in the attribute mapping → Group Transformations
With default settings, these users are deactivated (disabled).
Our recommendation would be to check the options in your test environment before you do it in your production instance.
Instructions
User Sync give you the possibility to do the following cleanup behaviors:
- Disable Users
Users get deactivated, just like Atlassian recommends. Doing this saves licenses and retains the ticket history, as the user still exists. - Delete Users
Users get deleted. We do not recommend this option, which has important consequences, e.g., for assigned tickets or user comments. - Anonymize Users (reversible)
Username, email, and full name are anonymized. Since the IdP user ID (e.g., azure_ID) is still assigned to the users, this can be undone to rename users with their original names. - Keep Users Without Modification
Users are not changed by the cleanup behavior.
The default behavior is to disable users (as Atlassian recommends). When you change the cleanup behavior, you will need to do a Save and Return. This will save and enable the new configuration. If you run a full Sync, the new cleanup behavior will be used and affect all matched users.
Additional information for Anonymize Users (reversible)
- The following version must be matched if you want to use Anonymize Users (reversible): SAML Single Sign On >= 5.2.1 / User Sync 2.2.1
- Already disabled users will also be anonymized
The user anonymization in User Sync currently works like this:
- The user will be renamed to
user-XXX - The email is changed to
user-XXX@user.anon - The full name is changed to
user-XXX - The user will be deactivated
- The flag
ATTR_IS_ANONYMIZED=trueis added to the user
- The user will be renamed to
- The following version must be matched if you want to use Anonymize Users (reversible): SAML Single Sign On >= 5.2.1 / User Sync 2.2.1
XXX is a random string of 10 numbers or lowercase characters. All other attributes, except user, email and full name, are not touched.
Delete Users
- Users get deleted
- We do not recommend this option, which has crucial consequences, e.g., for assigned tickets or user comments
Features
Next to the mentioned Cleanup Behaviours, you have the possibility to use the following features:
- Remove group memberships during cleanup
- When this option is checked, all group memberships are removed during the cleanup. This is also the case for users that have been cleaned up before.
- Use Groovy to decide about cleaning up a user
- This feature can help you to use a groovy script to decide if a user will be cleaned up or not. Please check our article.
Scheduled Synchronization
The Cleanup Behaviour is getting triggered every time a full sync is performed. The full sync can be triggered manually by clicking Sync on the main User Sync configuration screen, or it can be scheduled to run periodically. The Scheduled Synchronization can be configured below the Cleanup Method. We would recommend combining the Cleanup Behaviour with the Scheduled Synchronization. An active scheduled synchronization will make sure the above criteria are checked regularly, hence the chosen cleanup behaviour will happen to users accordingly.
Please switch the toggle Scheduled Synchronization to enable or disable the regular schedule. Now, you can edit the Cron Expression, which will define when the next sync will run. You can also decide how many sync results should be kept Results to keep (older results will be removed when a new sync starts). You can change it to a value, which match the customer requirement (there is no limitation from User Sync. The configuration field is an int (data type), so the limitation from the system is usually 2147483647).
Please keep in mind, that too high values (resultsToKeep) can lead to an impairment of the performance (database).
If you click on the pencil to edit the Cron Expression, you can use the Cron Expression Builder
Or, if you want, you can add a Cron Expression directly.
After you change the Scheduled Synchronization, you need to do a Save and Return. This will save and enable the new configuration.
Please note:
- Synchronization time differs based on your user base
- small instance (up to 1,000 IdP Users) runs a full sync once an hour
- larger instances (up to 10,000 IdP Users) runs a full sync once a day (overnight)
- enterprise instances (more than 10,000 Users) runs a full sync once a week
- Our SAML SSO plugin will always do a Single User Sync. So, if the user does not exit, the user will be added or modified.
- The full sync is more or less just to make sure we can disable deleted users and to make sure everything is fresh up with information.