try at Atlassian Marketplace
Setting up user provisioning on the journey to Data Center

Setting up user provisioning on the journey to Data Center

User Sync attribute synchronization
Sixt Lease's architecture leverages Data Center applications with the most advanced apps from the Atlassian Marketplace for user provisioning.

Table of Contents


The challengeFinding the most convenient SSO architecture for a new Data Center instance of Jira
The Atlassian Stack– Jira Data Center 1,000 users
– Confluence Data Center 1,000 users
SolutionCombine the native Atlassian Data Center SSO for authentication with resolution’s User Sync for user provisioning, deprovisioning, and updates
Benefits– Maximum value for minimum cost of all possible scenarios
– A complex approval process perfectly synced in Jira

A hybrid migration to Data Center SAML SSO and User Sync

In a migration to Data Center, User Management processes, including authentication and user provisioning processes, need to be analyzed separately to find the most convenient solution. Sixt Lease’s architecture is a good example of how to leverage existing functionality in Data Center applications with the most advanced apps from the Marketplace.

Sixt Leasing’s move to Jira Data Center

Authenticating and provisioning users with resolution's SAML SSO

In early 2020, Sixt Leasing decided to have their own Jira and Confluence instances on Data Center. This implied that the subsidiary would segregate from Sixt’s Server instance.

Customizations and third party add-ons were evaluated by TNG consulting and IT Management at Sixt Leasing. They followed two requirements:

  • Sufficient usage by Sixt Leasing employees and projects.
  • Existence of a Data Center compatible version.

A hybrid SSO setup: SAML-based authentication and REST user provisioning

When the time arrived for resolution’s Single Sign-On, this was the verdict:

Authenticating with  Atlassian Data Center SAML SSO and provisioning users with resolution's User Sync

  • Atlassian’s native Data Center SAML SSO could replace user authentication
  • but it could not solve user provisioning.

TNG’s consultants started looking for an add-on that could provision users seamlessly.

Their recommendation was resolution’s User Sync. The app that integrates user directories of Atlassian applications and Identity Providers via REST API. No code needed.

Therefore, Sixt leasing implemented a solution:

  • where Data Center native SAML SSO is used to authenticate users
  • And User Sync is used to provision and de-provision users

Evaluating Atlassian’s Just in Time provisioning

Authenticating and provisioning users with Atlassian Data Center SAML SSO

In September 2020, Atlassian launched Just in Time user provisioning for its Data Center SAML SSO.

At this point, SIXT leasing reconsidered its SSO setup. They had the chance to drop User Sync and only use the built-in functionality instead.

The benefits were clear: lower costs, and a simpler implementation.

So why wasn’t User Sync dropped?

An approval process in perfect sync

Just in Time can’t update supervisor roles.

With User Sync, issue approvals are reliable at all times.

Every employee at Sixt Leasing is assigned a supervisor who is responsible for approvals.

The approval process is based on a scriptRunner workflow validation. Only the supervisor and the supervisor’s supervisor can approve an issue, i.e. perform a specific workflow transition.

Supervisor roles are stored in the external directory as a user attribute. Since they change frequently, they are only maintained on the Identity Provider. From there, they should propagate to several tools, including Jira.

Supervisor attributes are synchronized into Jira with User Sync.

That synchronization would have been impossible with Just in Time provisioning. JiT only updates the information of a user when they successfully login. The accuracy of the approval process would depend on whether the user logs in after his supervisor has changed.


IT management and TNG consultants agreed it was beneficial to stick to the initial design. User Sync provisions and updates users, and Data Center SAML SSO deals only with authentication.

As a result, Sixt Leasing can benefit from the advantages of the SSO functionality shipped with Data Center Applications, and enforce its approval processes in Jira at all times.

About Sixt Leasing

SIXT Leasing logo

Sixt Leasing SE, a former subsidiary of Sixt SE, is one of Germany’s leading vehicle leasing providers with subsidiaries in Austria, Switzerland, France and the Netherlands. Independent from manufacturers and banks, Sixt GmbH & Co. Autovermietung KG provides full-service leasing solutions for corporate customers, as well as car rents for private and commercial customers through a convenient, fully configurable and cost-efficient online platform.

About TNG Tech Consulting

TNG Technology Consulting GmbH

TNG Technology Consulting is an Atlassian Gold Solution Partner and Atlassian Marketplace Vendor. Their model is based on value-based consulting partnership focused on high end information technology with a service offering in agile software development, Artificial Intelligence, and DevOps and Cloud.

Subscribe to our newsletter:

Related articles: