Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Running Multiple Provision Integrations within same IDP

Kyle Pontis
Kyle Pontis October 25, 2024

 

Hello community,

 

I am in the process of spinning up JSM for my company. We also use Jira for project board use for IT and DevOPs teams.

We use Okta as our IDP, and I have already set up one instance of the Okta/Atlassian integration. Using group assignment, any person we add to a particular group will be given access to Jira. No problems so far.

However, now I would like to use this integration in a different way; I want to set it up so that I can use a similar integration to add all of our employees as customers in JSM. The purpose is to take care of user provisioning for them instead of having each user have to login and register a JSM customer account. The problem I am having is that I don't see a simple way to do this from the integration already in place, nor can I get a cloned version of the integration to function.

I see checkmark boxes on the integration settings in Okta that allow me to add JSM to the integration, but then I assume if I use this, it will give all users a Jira account as well, which I don't want (I want to make sure the users for this group only go to JSM as non-billable customers).

So then I tried simply duplicating the integration, copying the settings from the first integration, and only checking JSM as the product to provide. This part fails when I attempt to test the API credentials. I am assuming that I would need to set up a separate IDP (even though it is still just Okta) in Atlassian Admin settings to get a new API key for this purpose.

But alas, I cannot do this either, as Jira Admin is telling me that I need to have Atlassian Enterprise in order to use multiple IDPs, even though its still the same IDP! I see the option to regenerate API keys, but then that would most likely break the current Okta/Jira integration that is already set up.

So, I guess I am spinning my wheels here.

Is there a way to setup multiple Okta/Jira product integrations so that I can assign different products to different users via my IDP without Enterprise? Perhaps if I regenerate the API key, I can use it for each Atlassian integration within Okta?

Or perhaps there is a way to load all users into Jira/JSM initially, but to not give them actual Jira access on the Atlassian side (a billable account), only JSM?

I have poured through all the documentation I can find and none of it really helps with this particular issue. I do not want to set this up as a portal-only customers type SSO project as I want users to be able to be pre-provisioned. (Otherwise I would just make the JSM instance public and let all users create accounts). I do not want to upgrade my instance as its not actually a separate IDP I am trying to use. Lastly, I don't necessarily mind putting the whole company in Jira if I can ensure that they won't actually be billed unless put into a project board.

I am sure that I am missing a simple fix here, but I don't think I can suss it out by myself any longer. Any advice on how to go about this would be much appreciated. Thanks!

Answer
Watch
Like Be the first to like this
427 views

3 answers

1 vote
Kieren _SmolSoftware_
Kieren _SmolSoftware_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 28, 2024

Hi @Kyle Pontis 

Do you need to have the customers created as 'Customer Accounts' in JSM?

Or are you happy to have the customers created as 'Atlassian Accounts' and granted customer roles within JSM?

If you're ok to have the customers created as Atlassian Accounts, then just sync the users from your IdP into a single group, maybe called 'JSM-Customers'.
You can then assign the JSM customer role to the JSM-Customers group, and all those users will get access to JSM as a customer. There's more info one how to do this here https://community.atlassian.com/t5/Jira-Service-Management-articles/A-dedicated-product-access-role-for-internal-customers-in-Jira/ba-p/2279244 

Or, if you want to use the default Atlassian group for the JSM Customer role, jira-servicemanagement-customers-sitename, you can use a 3rd party app like Admin Automations to sync users from one of your IdP groups, into the default group.

View More Comments
Kyle Pontis
Kyle Pontis October 30, 2024

Hi Kieren,

Ideally I would like to be able to add the entire company as JSM "customers", so that they can submit IT support tickets and the like. What I don't want is to add the entire company to Jira Software and end up having to pay for several hundred billable accounts on accident.

What I decided to do for now is to hide the integration in Okta, and then to use two separate "bookmark apps" instead. 

So, this allows me to "shadow provision" users with the main integration, but then decide which apps they can see on their dashboard via the bookmarks. Then, I used push groups to set things up so that all users get added to JSM Customers group which assigns them customer roles in JSM. As for Jira, I just selected the option to "require admin approval" when a user attempts to access Jira Software.

This seems to be working for now, but I am curious if you think that there may be a better or more efficient/secure way to go about this?

Like
Kieren _SmolSoftware_
Kieren _SmolSoftware_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 30, 2024

That sounds like a good solution.

Two things to note:

1. If you're granting the JSM Customer role to a sync'd Okta group, then make sure there's no Jira/JSM settings you need to configure that would normally use the JSM Default Groups. I think for JSM Customers you'll be fine, but it's something worth checking if you have some custom Jira security settings configured.

2. If you're controlling all your customer access via Okta, then I'd suggest removing  'Require Admin Approval'. Otherwise, your Okta access and JSM Customer access will get out of sync.
In either case, double check that your JSM customer access settings and your Org User Access Settings are aligned to what you're wanting.

- JSM customer access settings - https://<your-site-name>.atlassian.net/jira/settings/products/servicedesk/customer-access

- Org User Access Settings (https://admin.atlassian.com/o/<your-org-id>/user-access-settings 

Good luck!

Like
Reply
0 votes
Aditya_miniOrange
Aditya_miniOrange
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 28, 2024

Hi @Kyle Pontis 

I hope you are well!

If I understand your requirement correctly you would like to automatically provision/sync all your customers from Okta into JSM.

I would suggest that you try out the SCIM Provisioning plugin for Jira.

With the help of this add-on, you can integrate multiple IDPs, and automatically sync users and customers effortlessly into your Jira and JSM instances.

To discuss this in detail, you can reach out to us from here. I'll make sure that a miniOrange representative will help you with all the details.

PS: I work for miniOrange, One of the CyberSecurity vendors in Atlassian Marketplace.

Thanks,

Aditya

Reply
0 votes
Valerie Knapp
Valerie Knapp
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 27, 2024

Hi @Kyle Pontis , thanks for your question.

Is this something that can be resolved by setting up a specific Authentication Policy?

https://support.atlassian.com/security-and-access-policies/docs/understand-authentication-policies/ 

I added some more labels to this question so hopefully that will draw some more attention from others who can help.

Best wishes

View More Comments
Kyle Pontis
Kyle Pontis October 28, 2024

Hi Valerie,

 

Thanks for your reply! I took a look through the document that you sent over, but it looks like one of the caveats to these authentication policies is that you can't use SSO for non-billable policies. The article states: "You can't add the users you sync from your identity provider (e.g., Okta, Azure AD, Google Workspace) to a non-billable policy."

So, that piece of information indicates to me that this won't work either. I would like to just automate the task of provisioning all current and new employess into JSM using Okta as customers so that they aren't billed. Let me know if you have any other thoughts!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.