What is User Sync?

User & Groups Sync (User Sync) is a provisioning solution that enables API-based, one-way synchronization of users and group memberships from Identity Providers to Atlassian on-premise applications such as Confluence, Jira, Bitbucket, and Bamboo.

User Sync supports the API-based approach with dedicated connectors for Entra ID, Okta, Keycloak, OneLogin, and Google Cloud Identity. It offers a SCIM 2.0 connector for other identity providers with similar functionality and benefits.

Note: User Sync does not handle SSO authentication. Authentication is managed by the SAML Single Sign-On app.

How do I get User Sync?

User Sync is available in two formats:

  1. As a module of resolution’s SAML Single Sign-On app. (recommended)
  2. As a standalone app available on the Atlassian Marketplace.

Why User Sync?

For Atlassian admins, User Sync provides significant empowerment by reducing reliance on central IT teams. Admins can flexibly handle group assignments, attribute mapping, and transformations. Below is an overview of its key capabilities:

User Sync automates the Lifecycle Management of user accounts, ensuring provisioning and de-provisioning happen seamlessly, even for users who never log into Atlassian applications. Complementing this, Automated License Management optimizes license allocation by ensuring only active users consume licenses, helping you reduce costs without compromising on user provisioning flexibility.

The Cleanup Inactive Users feature takes this a step further by offering the ability to clean up users based on last activity dates, not just as reported inactive in the Identity Provider (IdP). This is particularly useful for customers using Just-in-Time provisioning, where users are created upon their first login via SAML. Still, this feature can also be combined with the API sync to disable users who do not log in frequently. See our guide for detailed steps.

Segmented Provisioning enables syncing of specific subsets of users based on group memberships. This speeds up synchronization and makes it more efficient by focusing only on relevant users while skipping the rest.

User Sync enables Full Profile Updates by synchronizing user attributes mapped from the IdP to the corresponding fields in Atlassian applications. This mapping can be adjusted in the configuration. User Sync can also synchronize the Profile Pictures for customers using Entra ID and Google Cloud Identity as their IdP. If you use Communardo’s or Linchpin’s User Profile app, User Sync allows you to map attributes from your IdP directly to the user profile fields in these apps, ensuring consistent and up-to-date user information.

In addition, User Sync in combination with our SAML Single Sign-On app can Combine and Merge Data by enriching user profiles with information from the SAML response, which complements data retrieved via User Sync’s API calls.

User Sync also supports Flexible Attribute Configuration, where attributes from the IdP can be transformed using either Regular Expressions or Groovy Code. This includes managing and transforming group memberships to meet advanced needs. The Sync Simulation feature in User Sync lets you preview the results of your attribute mappings and transformations before running an actual sync. This helps you validate even complex configurations and avoid unexpected outcomes during the live sync process.

With Scheduled Synchronizations, User Sync allows you to automate regular updates, similar to LDAP, at intervals such as hourly, daily, or weekly.

After each full sync, you can review the sync result in our Sync Result Browser in the User Sync UI. User Sync even offers a Sync Result Browser for incremental updates when you use the SCIM connector. This provides full visibility about user and group updates. For more deep-dive troubleshooting User Sync also provides all sync updates in a JSON format. 

User Sync gives Atlassian admins the tools they need to manage users and groups independently, without always relying on central IT. With features like flexible group assignments, attribute mapping, and transformations, it simplifies complex tasks and makes user provisioning more efficient.


What can I do with User Sync?

The table below summarizes some common use cases for User Sync, and how they relate to specific jobs


Needs

Features

Solutions

Enterprise Specific Settings




In large organizations, employees join, leave, and change positions constantly. Admins can’t stay on track of every required change if they update Atlassian user accounts manually.

  • Synchronize Atlassian user accounts with changes in the cloud Identity Providers via API. Syncs can be scheduled at regular intervals or triggered manually.

Automatically create, update, and deactivate Atlassian user accounts from your centrally managed cloud user directory.


Access rights and permissions are siloed across enterprise applications.

  • One-way synchronization of group memberships

Access is managed with group memberships centrally in the Identity Provider and regularly synchronized into Atlassian applications.

Data Center native SSO can’t log in users because usernames are different on the IdP and Atlassian (eg. “mary.bold@resolution.de” Vs “mary.bold”). In the meantime, employees are not able to work.

  • Attribute Mapping & Attribute Transformation

Once the attribute from the IdP is transformed to match the value in eg. Jira, users can successfully log in and be synced.

Information stored on the IdP such as phone number, office location, or supervisors can't be displayed or updated on Jira and Confluence.

  • Integrations with Scriptrunner, Jira Misc Workflow Extensions, and Linchpin & Communardo User Profiles

Actionable and up-to-date profile data becomes available to every Atlassian user and can be leveraged for workflow automation, i.e. approvals, transitions, etc.

Admin Friendly



Identifying errors and discrepancies in the user database and log files is tedious and time-consuming.

  • Status of sync jobs, Sync Result Browser & JSON with full details on every updated user account

Clear overview of what, when, and how data has been synchronized to quickly react whenever something goes wrong.

Only a subset of the users on the IdP needs access to Atlassian applications, and only a few among hundreds of groups should be synced.

  • Refine synchronization with filters

Filter which users are synced based on groups. i.e., jira-users and confluence-users. Define which group memberships are relevant to Atlassian usage and should be carried over.

During migration, lots of time is spent on duplicating configuration from the test instance to the production instance.

  • Import/ Export Configuration

Export/import available via UI and via REST API for automation purposes

Customization

Synchronize user data from other cloud applications, like payroll or remote employee management SaaS

  • Groovy Connector

The resolution team can quickly develop a custom connector using Groovy script with any cloud application that has API methods for creating and/or updating user accounts.

When Should You Consider User Sync?


User Sync is the right choice when you’re moving away from legacy solutions like LDAP or Atlassian Crowd and want a modern, flexible, and efficient user provisioning solution. Here’s when you should look into it:

1. Replacing LDAP or Atlassian Crowd

If you’re phasing out LDAP or Crowd, User Sync is an excellent replacement that provides the same provisioning capabilities while simplifying maintenance and enhancing security.

  • Why Replace LDAP?
    LDAP can be complex to maintain and secure. With User Sync, you can connect to modern Identity Providers (IdPs) like Azure AD, Okta, Google Workspace, or any IdP supporting SCIM. This allows you to benefit from cloud-based user management, including features like Multi-Factor Authentication (MFA), automated password resets, and external user management.

  • Why Replace Crowd?
    Atlassian Crowd segregates user management for the Atlassian stack from the rest of your corporate applications. By switching to User Sync, you can unify your user provisioning policies across all applications, simplify your identity management infrastructure, and free up resources for more strategic projects.


2. Enhancing Atlassian Data Center SSO Provisioning

If you use Atlassian Data Center SSO, User Sync can complement it by addressing gaps in user provisioning. For example, many admins find that Just-in-Time provisioning doesn't meet their needs for group assignments, attribute updates, or role changes.

Example Use Cases:

  • Replacing Just-in-Time Provisioning: Just-in-Time provisioning often lacks control over user updates and group assignments. User Sync allows you to pre-provision users and groups and automatically disable inactive accounts, ensuring full lifecycle management.
  • Keeping Roles Updated: Sixt Lease uses User Sync to keep supervisor roles updated automatically, maintaining accurate validation workflows without manual effort.

  • Managing Large User Bases: How can you provision 42,000 users into a 15,000 users Jira instance without destroying usability?  Learn how to set it up in this step-by-step guide.


In summary, User Sync is ideal when you want to:

  • Move away from LDAP or Crowd.
  • Leverage modern IdPs like Azure AD, Okta, Google Cloud Identity, or any SCIM-compatible provider.
  • Enhance provisioning capabilities alongside Atlassian Data Center SSO. See our full comparison with Data Center SSO

With User Sync, you get the tools to handle user provisioning effectively and integrate seamlessly with modern identity platforms, helping you streamline processes and focus on what matters most.