MINI WHITE PAPER OVERVIEW

Setting up user provisioning on the journey to Data Center

In this article, we’ll witness Sixt Lease’s transition from a Server infrastructure to a Data Center instance that leverages the best of the native Atlassian enterprise functionality with the most advanced apps from the Atlassian Marketplace for user provisioning.

A hybrid migration to Data Center SAML SSO and User Sync

In a migration to Data Center, User Management processes, including authentication and user provisioning processes, need to be analyzed separately to find the most convenient solution. Sixt Lease’s architecture is a good example of how to leverage existing functionality in Data Center applications with the most advanced apps from the Marketplace.

Sixt Leasing’s move to Jira Data Center

In early 2020, Sixt Leasing decided to have their own Jira and Confluence instances on Data Center. This implied that the subsidiary would segregate from Sixt’s Server instance.

Customizations and third party add-ons were evaluated by TNG consulting and IT Management at Sixt Leasing. They followed two requirements:

Sufficient usage by Sixt Leasing employees and projects.
Existence of a Data Center compatible version.

A hybrid SSO setup: SAML-based authentication and REST user provisioning

When the time arrived for resolution’s Single Sign-On, this was the verdict:

Atlassian’s native Data Center SAML SSO could replace user authentication…
but it could not solve user provisioning.

TNG’s consultants started looking for an add-on that could provision users seamlessly.

Their recommendation was resolution’s User Sync. The app that integrates user directories of Atlassian applications and Identity Providers via REST API. No code needed.

Therefore, Sixt leasing implemented a solution:

where Data Center native SAML SSO is used to authenticate users
And User Sync is used to provision and de-provision users

Evaluating Atlassian’s Just in Time provisioning

In September 2020, Atlassian launched Just in Time user provisioning for its Data Center SAML SSO.

At this point, SIXT leasing reconsidered its SSO setup. They had the chance to drop User Sync and only use the built-in functionality instead.

The benefits were clear: lower costs, and a simpler implementation.

So why wasn’t User Sync dropped? An approval process in perfect sync.

Just in Time can’t update supervisor roles. With User Sync, issue approvals are reliable at all times.

Every employee at Sixt Leasing is assigned a supervisor who is responsible for approvals.

The approval process is based on a scriptRunner workflow validation. Only the supervisor and the supervisor’s supervisor can approve an issue, i.e. perform a specific workflow transition.

Supervisor roles are stored in the external directory as a user attribute. Since they change frequently, they are only maintained on the Identity Provider. From there, they should propagate to several tools, including Jira.

Supervisor attributes are synchronized into Jira with User Sync.

That synchronization would have been impossible with Just in Time provisioning. JiT only updates the information of a user when they successfully login. The accuracy of the approval process would depend on whether the user logs in after his supervisor has changed.

Conclusion

IT management and TNG consultants agreed it was beneficial to stick to the initial design. User Sync provisions and updates users, and Data Center SAML SSO deals only with authentication.

As a result, Sixt Leasing can benefit from the advantages of the SSO functionality shipped with Data Center Applications, and enforce its approval processes in Jira at all times.

GO BACK TO MINI WHITE PAPER OVERVIEW

PRODUCT DESCRIPTION - User & Group Sync

GO BACK

PRODUCT DESCRIPTION

Sixt Leasing SE, a former subsidiary of Sixt SE, provides full-service leasing solutions for corporate customers, as well as car rents for private and commercial customers through a convenient online platform.

TNG Technology Consulting is an Atlassian Gold Solution Partner and Atlassian Marketplace Vendor.

Cookie	Duration	Description
_gat_UA-44969175-9	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
CONSENT	16 years 3 months 13 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
b3e783bb62	session	This cookie is set by the provider Zoho. This cookie is used for collecting information on user interaction with the web-campaign content. This cookie helps the website owners to promote products and events on the CRM-campaign-platform.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_calendly_session	21 days	Store user preferences
_zcsr_tmp	session	Used for website security
1e5a17c8ab	session	No description available.
3eb9b21c5c	session	No description available.
4662279173	session	No description available.
AnalyticsSyncHistory	1 month	Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
d4bcc0a499	session	No description available.
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
m	2 years	No description available.
zft-sdc	12 hours	This cookie stores metadata ( entrances, source etc) of a session which is used by full tracking. (https://www.zoho.com/privacy/cookie-policy.html)
zps-tgr-dts	1 year	This cookie stores the session's metadata on your website.
zsc	30 minutes	Zoho Service Communication Key.