Synchronizing Data to Atlassian Through SCIM

Introduction

System for Cross-domain Identity Management (SCIM) is designed to manage multi-tenant identities for cloud-based applications. SCIM 2.0 is built on an object model where a resource is the common denominator and all SCIM objects are derived from it. SCIM 2.0 has id, externalId, and meta as attributes. RFC 7643 defines User, Group, and EnterpriseUser that extend the common attributes.

This section describes how to synchronize user data to Atlassian through the SCIM protocol.

Configuration Process

Prerequisites

• You have an administrator account for Atlassian.
• You have permissions to access the administrator portal.

Adding an Application

1. Log in to the administrator portal.
2. On the top navigation bar, choose Resources > Applications.
3. Click Add Custom Application in the Custom Applications section, set the logo and application name, and click Save.

Configuring the Application

1. Click the application added in Adding an Application.
2. In the General Information area, click next to Synchronization to enable synchronization, select SCIM, and click Save.
   

   The protocol cannot be changed once specified.

3. In the General Information area, click Configure next to Synchronization to access the configuration page.
   Figure 1 Configuring synchronization parameters
   

   Table 1 Basic settings

   Parameter	Mandatory	Description
   SCIM Endpoint	Yes	Interface address of the target system to receive SCIM data, for example, https://example.com/v2.
   Authentication Method	Yes	Authorization is required for calling SCIM APIs. The options include Basic Auth (default) and Bearer Token.
   Username	Yes	Username for authentication. Set this parameter if you specify the authentication method as Basic Auth.
   Password	Yes	Password of the user. Set this parameter if you specify the authentication method as Basic Auth.
   Application Account Template	Yes	Template of user request data to be pushed to the target system. By default, the data template of SCIM 2.0 is used. Set the template according to the SCIM version supported by the target system.
   Application Organization Template	Yes	Template of organization request data to be pushed to the target system. By default, the data template of SCIM 2.0 is used. Set the template according to the SCIM version supported by the target system.
   Organization Resource Path	No	Organization resource path in SCIM. For example, the user path is User and the user group path is Group.

   Table 2 Advanced settings

   Parameter	Mandatory	Description
   Content-Type	No	Request header, which you can set based on the target system. Set this parameter to application/json or application/scim+json. The default value is application/scim+json.
   Accept	No	Request header, which you can set based on the target system. Set this parameter to application/json or application/scim+json.
   Time Format	No	JSON time format. If the time is in milliseconds, set this parameter to "timestamp". If the time is another type of value, set this parameter to a format expression, for example, yyyy-MM-dd HH:mm:ss.

4. Choose Object Models > Application Accounts in the left pane, click the Attributes tab, and click Add to add attributes. For details, see Table 3.
   

   The email attribute is mandatory for SCIM to synchronize data from Atlassian. If the attribute is not added, the synchronization fails.

   Table 3 Attributes

   Parameter	Description
   Attribute	Attribute that OneAccess will map to the target application, for example, email.
   Label	Identifier of an attribute name. It is recommended that the value of this parameter match that of Attribute.
   Description	Description of Attribute.
   Attribute Type	Type of an attribute. You can select a value from the drop-down list box.
   Format	This parameter specifies the text format. It can be set only when Attribute Type is set to Text.
   Required	If this option is selected, the attribute must be set when user data is synchronized to an application. If the attribute is left blank, a prompt message is displayed.
   Unique	It can be set only when Attribute Type is set to Text. If this option is selected, the attribute value is kept unique when user data is synchronized to an application. If the attribute is duplicate, a prompt message is displayed.
   Sensitive	It can be set only when Attribute Type is set to Text. If this option is selected, the user data is hidden when it is synchronized to an application. You can click to view the content.

5. Switch to the Mappings tab page, click Modify, and configure attribute mappings.

   Table 4 Mappings

   Parameter	Description
   User	Attribute that OneAccess will map to the application, for example, email.
   Conversion Mode	Attribute mapping mode.
   Script Expression	Enter a script if you specify the conversion mode as Script-based.
   Execution Mode	Operation to be performed when user data is synchronized from OneAccess to the target application.
   Application Accounts	Account attribute of the application.

6. In the left pane, choose Authorization > Application Accounts. Then click the button for adding accounts to authorize specific users to access the application. To authorize access using a policy, see the descriptions about the application account authorization policy in Configuring an Application.
   

   For details about how to configure object models, API permissions, and application permissions, see Configuring an Application.

Configuring Synchronization in Atlassian

1. Log in to Atlassian.
2. Configure and verify the email address and set an API token. For details, see the Atlassian documentation.

Verifying Data Synchronization

1. View the synchronized users in Atlassian.

   

2. Choose Authorization > Synchronization Events in the left pane, and view the synchronization records.