Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Keycloak configuration
Configuration in the Keycloak Web Console
Login to your Keycloak instance with administrator privileges and enter the Administration Console
Select the realm of the users who should be synchronized and click on Clients in the left-hand navigation bar.
Click on the Create client button of the client view to register a new client for the User & Group Sync connector
Provide a name for the Client ID and make sure that the Client type is OpenID Connect and click on Next.
In the Capability config tab, enable both the Client authentication and Authorization options, and have the other options as the following screenshot, then click on Next:
Keep the settings in the next tab as is, and click on Save.
The following assignment might not be required when registering a client in the master realm.
Switch to the Service account roles tab and click on the Assign role button.
Select "Filter by clients" and search for "manage-users" then click enter. Choose "realm-management / manage-users" and click on Assign.
The settings should look like the below now:
Go to the Credentials tab, and copy the Client secret. You may regenerate it at any time.
Configuration in User & Group Sync Configuration page
Navigate to the administration console for Jira, Confluence, or Bitbucket
Confluence: search for USERS & SECURITY under which you'll find User & Group Sync
Jira: navigate to the User management tab in which you'll find User & Group Sync
Bitbucket: navigate to Administration/ Accounts you'll find User & Group Sync listed here
Click on Add Connector and choose Keyloak Connector.
Set a name, insert your Keycloak URL appending /auth at the end, and provide
- realm name
- client-id
- secret
as per your Keycloak setup earlier. Use the Save and Test Connection button to check if User Sync can connect to Keycloak successfully.
To schedule a periodic synchronization of your Keycloak directory with User & Group Sync, click on Show Advanced Settings at the very bottom of the page.
Enable Scheduled Synchronization needs to be checked, the default cron expression would then cause a sync every day at 2 am.
Click Save and Return to finish the configuration.
You are now ready to commence either a simulated or a full sync. By simulating the sync first you will be able to verify your configuration and see what changes User Sync would apply like what users will be added, modified, or not modified. With the full sync, User Sync will apply those changes. Both sync actions will run a full sync and will have the same sync duration. For more information on the sync simulation please refer to Using the Simulated Sync Feature.
Please read here, if you already have users in your system which you want to migrate, without losing their history. Don't hesitate to reach out to https://www.resolution.de/go/support, if you need any help with achieving this.
Additional Resources:
- User Sync Endpoints
- Group Management- And Filtering With User Sync
- Cleanup Behaviour and Scheduled Synchronization
- How To Migrate An Internal Directory To UserSync