Atlassian Migration Guide

This document provides instructions for customers to migrate from their existing Confluence and Jira Cloud provisioning apps in the Okta Integration Network (Atlassian Jira Cloud, Jira (Atlassian), and Atlassian Confluence Cloud) to the new Atlassian Cloud OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..


  • To take advantage of the Atlassian Cloud app and use both SAML and SCIM functionality, you have to have an Atlassian Access subscription. For more information, see:
  • The Okta-built Confluence/Jira applications allow you to manage users at a Site level. The Atlassian-built Atlassian Cloud application allows you to manage users at an Organization level. As per Atlassian's documentation, Atlassian Organizations can have multiple Sites and are a centralized place for customers to manage their product and users. Before proceeding to the migration steps below, make sure that you have added your Jira/Confluence sites to your Atlassian Organization (for more information, see:
  • You should test the migration flow with sample users/groups to ensure everything is working properly before you proceed with production data.
  • It is not recommended to use individual assignments when assigning users to the Atlassian Cloud application. As mentioned throughout the migration steps below, assigning users should be done via group assignment as product access is granted to the groups. Members of those groups will automatically be have the product access that was granted to the groups they belong to. If you use individual user assignment when pushing users via your Atlassian Cloud application in Okta, that user will not have any product access until you add that user to a group.
  • If you are pushing groups via the Atlassian Cloud application that you previously pushed using the Okta-built Jira applications, the groups will automatically be linked and any product access you granted to that group should remain the same.
  • If you want the users you pushed via the Jira/Confluence applications to be a part of the same groups, you have to assign them to those groups in Okta before you push them via the Atlassian Cloud application.

    Note: Unlike the Okta-built Jira/Confluence applications, the Atlassian Cloud app does not support Group Discovery when pushing new users.

  • For the Atlassian Cloud app, user accounts can only be pushed if they use a domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). that is verified using your Atlassian Organization. At an Atlassian Organization level, you need to verify you own a domain to be able to push and manage accounts using that domain:
  • Atlassian verify domains

  • At the Atlassian Site level, users with any domain you grant access to can be added to the Site. You don't need to verify that you own the domain like the at the Atlassian Organization level:

    Atlassian define Site access

  • Remember the following when you are migrating: If you have users at a the Site level using a domain that you can't verify at an Organization level, you will not be able to push that user using the Atlassian Cloud app.


A new Atlassian application called Atlassian Cloud has been added to the Okta Integration Network (OIN) to provide a better overall experience to Okta customers. This new application adds Lifecycle Management support for Atlassian's new identity platform.

To take advantage of these updates, you have to add a new instance of Atlassian Cloud in your Okta org. If you previously added any of the Okta-built Jira/Confluence Cloud applications, follow the steps below to migrate from these applications to the new Atlassian Cloud application:

  1. Sign in to your Okta org as an AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page..

  2. Open the Admin Console.

  3. Click Add Applications:

    Add Application in Okta

  4. Add a new instance of Atlassian Cloud:

    Add new Atlassian instance in Okta

  5. Configure the application depending on the features you would like to use (SWA, OMM, SAML, Provisioning):

    1. SWA: Under the Sign On tab, select SWA as the sign on method and choose the desired option for saving user credentials, then click Save:

      Select SWA as sign on method

      1. If you were using the SWA sign-on mode for your old Jira/Confluence Cloud application, the credentials for all users that will be assigned to the new Atlassian Cloud application need to be re-entered. Note: If users need to retrieve their passwords, they can do so by following the steps below:

        • On their Okta homepage, hover over the old Jira/Confluence Cloud application, then click the gear icon:

          click Confluence gear icon

        • On the See Password tab, click Reveal Password. Users are prompted to re-authenticate to see the credentials:

          Reveal password

        • Before de-activating/deleting your old Jira/Confluence Cloud app instance, make sure that all users who need to retrieve their passwords have done so to avoid re-setting their passwords via Jira/Confluence Cloud.

      2. Make sure to select/add the same Application Username Format from the existing Jira/Confluence app:

        select Application Username Format

      3. Scroll down to the Sign On Policy section. Copy all sign on policies to the new app, the way you had them configured for the old app (see Add Sign On policies for applications for details):

        Copy sign on policy from old apps

    2. OMM: Under the Mobile tab, enable all desired Mobile applications that you want to be available to your users for download in the Okta Mobile App Store.

      Mobile tab, enable atlassian mobile apps for Okta mobile store

      Note: If you activated the Jira/Confluence Cloud OMM applications in your old Jira/Confluence Cloud application, you would need to re-activate these again after adding the new Atlassian Cloud application.

    3. SAML: Under the Sign On tab, choose SAML as the sign on method. Click View Setup Instructions and follow all the steps to configure SAML for your Atlassian Cloud app:

      For SAML sign on method, select View Setup Instructions

    4. SCIM: Follow the steps outlined in the Atlassian Cloud SCIM Configuration Guide. Remember that user provisioning via the Atlassian Cloud SCIM app should be done via Group assignment. User product access is assigned via Groups.

      Common Provisioning Scenarios not Described in the Atlassian Configuration Guide

  6. After you have enabled all the features you want, go to the Assignments tab of your new Atlassian Cloud application. Click Assign and start assigning the same users/groups that are assigned to your old Jira/Confluence Cloud applications.


    1. Make sure you assign all the users to your new Atlassian Cloud instance to avoid any accidental de-provisioning/loss of access for your users.

    2. If you are enabling Provisioning, it is important to go through the Atlassian Cloud SCIM configuration guide before assigning users to the application. To provision users properly with the correct product access permissions, it is necessary for users to be assigned via Group assignment (these Groups should be pushed first before assignment).

    Assing new app to same users/groups

  7. Go back to your Admin Console.

  8. Open your Jira/Confluence Cloud application(s).

    Note: This is the previous application you added before adding a new one in step 4.

  9. Optional: If you previously used Provisioning for your Jira/Confluence Cloud app:

    1. Go to the Provisioning tab.

    2. Under SETTINGS , select API Integration.

    3. Click Edit, then uncheck Enable API Integration.

    4. Click Save:

    5. Provisioning > API, uncheck Enable API Integration

  10. You can now deactivate or delete your old Jira/Confluence Cloud application and continue using the new Atlassian Cloud application you added. However we recommend you hide the app for a short time period (1~2 weeks) and have users test with the new application before deactivating the old Jira/Confluence app. Follow the steps below:

    1. To hide your old Jira/Confluence app:

      +Hide old icon on dashboard

    2. To deactivate your old Jira/Confluence Cloud application:

      • Click the Active status drop-down menu under your Jira/Confluence Cloud application label, then click Deactivate:

      deactivate old apps

    3. To delete your old Jira/Confluence Cloud application:

      • Deactivate the old app as described in step b above. After the app has been deactivated, on the Inactive status drop-down. You are given the option to Activate or Delete the app. Choose Delete. You are prompted to confirm whether you want to really delete the application. Click Delete Application:

      delete old apps