Atlassian

This document provides instructions for customers to migrate from their existing Confluence and Jira Cloud provisioning apps in the Okta Integration Network (Atlassian Jira Cloud, Jira (Atlassian), and Atlassian Confluence Cloud) to the new Atlassian Cloud OIN app.



REQUIREMENTS

  • To take advantage of the Atlassian Cloud app and use both SAML and SCIM functionality, you have to have an Atlassian Access subscription. For more information, see: https://www.atlassian.com/software/access.
  • The Okta-built Confluence/Jira applications allow you to manage users at a Site level. The Atlassian-built Atlassian Cloud application allows you to manage users at an Organization level. As per Atlassian's documentation, Atlassian Organizations can have multiple Sites and are a centralized place for customers to manage their product and users. Before proceeding to the migration steps below, make sure that you have added your Jira/Confluence sites to your Atlassian Organization (for more information, see: https://confluence.atlassian.com/cloud/set-up-an-atlassian-organization-938859734.html).
  • You should test the migration flow with sample users/groups to ensure everything is working properly before you proceed with production data.
  • It is not recommended to use individual assignments when assigning users to the Atlassian Cloud application. As mentioned throughout the migration steps below, assigning users should be done via group assignment as product access is granted to the groups. Members of those groups will automatically be have the product access that was granted to the groups they belong to. If you use individual user assignment when pushing users via your Atlassian Cloud application in Okta, that user will not have any product access until you add that user to a group.
  • If you are pushing groups via the Atlassian Cloud application that you previously pushed using the Okta-built Jira applications, the groups will automatically be linked and any product access you granted to that group should remain the same.
  • If you want the users you pushed via the Jira/Confluence applications to be a part of the same groups, you have to assign them to those groups in Okta before you push them via the Atlassian Cloud application.

    Note: Unlike the Okta-built Jira/Confluence applications, the Atlassian Cloud app does not support Group Discovery when pushing new users.

  • For the Atlassian Cloud app, user accounts can only be pushed if they use a domain that is verified using your Atlassian Organization. At an Atlassian Organization level, you need to verify you own a domain to be able to push and manage accounts using that domain:
  • Atlassian verify domains

  • At the Atlassian Site level, users with any domain you grant access to can be added to the Site. You don't need to verify that you own the domain like the at the Atlassian Organization level:

    Atlassian define Site access

  • Remember the following when you are migrating: If you have users at a the Site level using a domain that you can't verify at an Organization level, you will not be able to push that user using the Atlassian Cloud app.

MIGRATION STEPS

A new Atlassian application called Atlassian Cloud has been added to the Okta Integration Network (OIN) to provide a better overall experience to Okta customers. This new application adds Lifecycle Management support for Atlassian's new identity platform.

To take advantage of these updates, you have to add a new instance of Atlassian Cloud in your Okta org. If you previously added any of the Okta-built Jira/Confluence Cloud applications, follow the steps below to migrate from these applications to the new Atlassian Cloud application:

  1. Sign in to your Okta org as an Admin.

  2. Open the Admin Console.

  3. Click Add Applications:

    Add Application in Okta

  4. Add a new instance of Atlassian Cloud:

    Add new Atlassian instance in Okta

  5. Configure the application depending on the features you would like to use (SWA, OMM, SAML, Provisioning):

    1. SWA: Under the Sign On tab, select SWA as the sign on method and choose the desired option for saving user credentials, then click Save:

      Select SWA as sign on method

      1. If you were using the SWA sign-on mode for your old Jira/Confluence Cloud application, the credentials for all users that will be assigned to the new Atlassian Cloud application need to be re-entered. Note: If users need to retrieve their passwords, they can do so by following the steps below:

        • On their Okta homepage, hover over the old Jira/Confluence Cloud application, then click the gear icon:

          click Confluence gear icon

        • On the See Password tab, click Reveal Password. Users are prompted to re-authenticate to see the credentials:

          Reveal password

        • Before de-activating/deleting your old Jira/Confluence Cloud app instance, make sure that all users who need to retrieve their passwords have done so to avoid re-setting their passwords via Jira/Confluence Cloud.

      2. Make sure to select/add the same Application Username Format from the existing Jira/Confluence app:

        select Application Username Format

      3. Scroll down to the Sign On Policy section. Copy all sign on policies to the new app, the way you had them configured for the old app (see Add Sign On policies for applications for details):

        Copy sign on policy from old apps

    2. OMM: Under the Mobile tab, enable all desired Mobile applications that you want to be available to your users for download in the Okta Mobile App Store.

      Mobile tab, enable atlassian mobile apps for Okta mobile store

      Note: If you activated the Jira/Confluence Cloud OMM applications in your old Jira/Confluence Cloud application, you would need to re-activate these again after adding the new Atlassian Cloud application.

    3. SAML: Under the Sign On tab, choose SAML as the sign on method. Click View Setup Instructions and follow all the steps to configure SAML for your Atlassian Cloud app:

      For SAML sign on method, select View Setup Instructions

    4. SCIM: Follow the steps outlined in the Atlassian Cloud SCIM Configuration Guide. Remember that user provisioning via the Atlassian Cloud SCIM app should be done via Group assignment. User product access is assigned via Groups.

      Common Provisioning Scenarios not Described in the Atlassian Configuration Guide

      • Pushing existing groups that were pushed using the Okta-built Jira apps

        As mentioned in the REQUIREMENTS section, pushing groups that were previously pushed using the Okta-built Jira apps to the Atlassian Cloud app should link the groups correctly. Any product access granted to those groups will stay the same. No special step is needed to push the same groups.

      • Pushing Groups using a rule

        If you previously set-up a rule in your Okta-built Jira/Confluence apps to push groups automatically, make sure that you add the same rule in your Atlassian Cloud app instance.

        add push groups rule to new apps

        This is important if you import groups from an external source (e.g. Active Directory, LDAP) to ensure that any groups created from those sources continue to be pushed automatically

      • Using custom mappings when pushing users

        The Atlassian Cloud app currently does not support the Second Email and Mobile Phone attributes. These two attributes were supported in the Okta-built Jira/Confluence apps. All other attributes are supported. For a full list of the Atlassian Cloud SCIM app default attributes and mappings, see the Atlassian Cloud SCIM Configuration Guide. If you need to add/delete attributes in your SCIM app, update mappings to any of the attributes to match your old Jira/Confluence attribute mappings, you can follow this guide: Check the Attributes for Your Application and their corresponding Mappings.

        Note: Once you push a user at an org level, any attribute mappings set using the Atlassian Cloud app will overwrite any attribute mappings set using the Okta-built Jira/Confluence apps.

  6. After you have enabled all the features you want, go to the Assignments tab of your new Atlassian Cloud application. Click Assign and start assigning the same users/groups that are assigned to your old Jira/Confluence Cloud applications.

    IMPORTANT

    1. Make sure you assign all the users to your new Atlassian Cloud instance to avoid any accidental de-provisioning/loss of access for your users.

    2. If you are enabling Provisioning, it is important to go through the Atlassian Cloud SCIM configuration guide before assigning users to the application. To provision users properly with the correct product access permissions, it is necessary for users to be assigned via Group assignment (these Groups should be pushed first before assignment).

    Assing new app to same users/groups

  7. Go back to your Admin Console.

  8. Open your Jira/Confluence Cloud application(s).

    Note: This is the previous application you added before adding a new one in step 4.

  9. Optional: If you previously used Provisioning for your Jira/Confluence Cloud app:

    1. Go to the Provisioning tab.

    2. Under SETTINGS , select API Integration.

    3. Click Edit, then uncheck Enable API Integration.

    4. Click Save:

    5. Provisioning > API, uncheck Enable API Integration

  10. You can now deactivate or delete your old Jira/Confluence Cloud application and continue using the new Atlassian Cloud application you added. However we recommend you hide the app for a short time period (1~2 weeks) and have users test with the new application before deactivating the old Jira/Confluence app. Follow the steps below:

    1. To hide your old Jira/Confluence app:

      • Navigate to the old Jira/Confluence app, then select the General tab.

      • Check Do not display application icon to users.

      • If the app is setup for mobile access, also check Do not display application icon in the okta mobile app.

      • Click Save.

      • The old Jira/Confluence app is now hidden to end users.

      +Hide old icon on dashboard

    2. To deactivate your old Jira/Confluence Cloud application:

      • Click the Active status drop-down menu under your Jira/Confluence Cloud application label, then click Deactivate:

      deactivate old apps

    3. To delete your old Jira/Confluence Cloud application:

      • Deactivate the old app as described in step b above. After the app has been deactivated, on the Inactive status drop-down. You are given the option to Activate or Delete the app. Choose Delete. You are prompted to confirm whether you want to really delete the application. Click Delete Application:

      delete old apps