What is User Sync?
User & Groups Sync (in short, User Sync) is our provisioning solution for configuring API-based one-way synchronizations of users and group memberships from cloud Identity Providers into Atlassian on premise applications like Confluence, Jira, or Bitbucket.
Note that User Sync does not handle user authentication, which is covered by the core of our SAML Single Sign-On app.
How do I get User Sync?
User Sync comes in two different formats:
as a module of resolution’s SAML Single-On app
as a standalone app that can be acquired via the Atlassian Marketplace
Why User Sync?
User Sync is the most advanced user provisioning solution for Atlassian Data Center and Server customers. Here’s a quick overview of some of its differential capabilities:
- Automated User Lifecycle Management. Users can be automatically provisioned and de-provisioned, regardless of whether they log into the Atlassian applications or not. This includes automatically deactivating offboarded users, as well as inactive uses.
- Automated License Management. Save up on licenses making sure that you don't pay for inactive users! Advanced configurations are possible to i.e. provision every user account while only assigning licenses to effectively active users (see our guide).
- Cleanup inactive users automatically. Besides dropping users that are set as inactive in the IdP, User Sync offers the option to setup specific connectors to Cleanup Inactive Users based on last activity dates. This is a recommended practice for customers who provision users Just in Time (upon first login via SAML).
- Automated License Management. Advanced configurations are possible to i.e. provision every user account while only assigning licenses to effectively active users (see our guide).
Full profile updates. Ensure that all the attributes accessible via the API are in sync with your source of truth in the IdP. These attributes can even be shown to users in the Jira and Confluence UIs if you are using Communardo’s or Linchpin’s User Profile apps.
Empowered Atlassian Admins. Teams managing the Atlassian platform diminish their dependency on central IT teams thanks to the flexibility for handling group assignments, as well as attribute mapping and transformations.
Scheduled synchronizations. Just like LDAP, User Sync can schedule synchronizations regularly, for example once every hour or every weekend.
Flexible attribute configuration. Attributes coming from the IdP can be transformed using both Regular Expressions or Groovy Code. This include groups memberships management and transformation.
Combine and merge API calls & SAML requests. It’s even possible to enrich the information from UserSync (run first) with information in the SAML response, if there is additional data there that you’d like to have in the user profiles!
Segmented provisioning. Sync subsets of users based on group memberships. This makes the process of synchronization faster and more relevant, since the connector will only go through those users in the IdP that should be provisioned, and skip the rest.
What can I actually do with User Sync?
The table below summarizes some common use cases for User Sync, and how they relate to specific jobs
Enterprise Specific Settings
In large organizations, employees join, leave and change position constantly. Admins can’t stay on track of every required change if they update Atlassian user accounts manually.
Automatically create, update, and deactivate Atlassian user accounts from your centrally managed cloud user directory.
Access rights and permissions are siloed across enterprise applications.
Access is managed with group memberships centrally in the Identity Provider and regularly synchronized into Atlassian applications.
Data Center native SSO can’t login users because usernames are different on the IdP and Atlassian (eg. “firstname.lastname@example.org” Vs “mary.bold”). In the meantime, employees are not able to work.
Once the attribute from the IdP is transformed to match the value in eg. Jira, users can successfully login and be synced.
Information stored on the IdP such as phone number, office location, or supervisors can't be displayed or updated on Jira and Confluence.
Actionable and up-to-date profile data becomes available to every Atlassian user and can be leveraged for workflow automations, i.e. approvals, transitions, etc.
Identifying errors and discrepancies in the user database and log files is tedious and time consuming.
Clear overview of what, when, and how data has been synchronized to quickly react whenever something goes wrong.
Only a subset of the users on the IdP needs access to Atlassian applications, and only few among hundreds of groups should be synced.
Filter which users are synced based on groups. i.e., jira-users and confluence-users. Define which group memberships are relevant to Atlassian usage and should be carried over.
During migration, lots of time is spent on duplicating configuration from test instance to production instance.
Export/import available via UI and via REST API for automation purposes (coming soon)
Synchronize user data from other cloud applications, like payroll or remote employee management SaaS
The resolution team can quickly develop a custom connector using Groovy script with any cloud application that has API methods for creating and/or updating user accounts.
When should I look into User Sync?
There is no simple answer to when User Sync is the best alternative for your user provisioning challenges. Here are the most common scenarios:
Connect with cloud Identity Providers like Azure AD, Okta, Google, etc.
While some of these providers allow to setup Just in Time provisioning with SAML attributes, User Sync overcomes the limitations of this approach and allows to fully benefit from a modern, centralized cloud identity platform.
Replace LDAP connectors to Active Directory
LDAP can be hard to maintain and keep secure. Teams who are ready to move away from LDAP regularly consider User Sync, as it provides superior capabilities and can accommodate any use case: companies that want to keep Active Directory can still access it via Federation Services, and companies who decide to migrate can connect to the cloud IdP of their choice.
Replacing LDAP allows to outsource maintenance to a cloud solution and benefit from best-in-class user management automation and security features like Multi-Factor Authentication (MFA), password reset flows, or external user management.
Resolution’s SAML SSO can provide a true Single Sign-On experience that doesn’t segregate the Atlassian Stack from the rest of corporate applications (like Crowd does). In this context, User Sync is the best alternative for aligning your user management policies with the rest of your non-Atlassian applications, specifically with regards to managing which users should be provisioned where.
Replacing Crowd can also simplify the complexity of your Identity Management Infrastructure, shifting maintenance away to the cloud and freeing up your team to work on more interesting projects.
Supplement the deficiencies of Data Center SSO for user provisioning
Many Data Center customers are content with how Atlassian SSO handles user logins, but miss support for requirements regarding how users are provisioned and updated. For example, you may not be happy with provisioning and updating your users Just in Time. In these cases, User Sync can be deployed as a standalone app in combination with Atlassian Data Center SSO.
Example 1: You’re not be happy with provisioning and updating your users Just in Time
Example 2: Sixt Lease leverages User Sync to ensure that supervisor roles are kept up to date at all times, thus maintaining their validation workflows automatically.
Example 3: How can you provision 42,000 users into a 15,000 users Jira instance without destroying usability? Learn how to set it up in this step-by-step guide.