|The challenge||Finding the most convenient SSO architecture for a new Data Center instance of Jira|
|The Atlassian Stack||– Jira Data Center 1,000 users|
– Confluence Data Center 1,000 users
|Solution||Combine the native Atlassian Data Center SSO for authentication with resolution’s User Sync for user provisioning, deprovisioning, and updates|
|Benefits||– Maximum value for minimum cost of all possible scenarios|
– A complex approval process perfectly synced in Jira
A hybrid migration to Data Center SAML SSO and User Sync
In a migration to Data Center, User Management processes, including authentication and user provisioning processes, need to be analyzed separately to find the most convenient solution. Sixt Lease’s architecture is a good example of how to leverage existing functionality in Data Center applications with the most advanced apps from the Marketplace.
Sixt Leasing’s move to Jira Data Center
In early 2020, Sixt Leasing decided to have their own Jira and Confluence instances on Data Center. This implied that the subsidiary would segregate from Sixt’s Server instance.
Customizations and third party add-ons were evaluated by TNG consulting and IT Management at Sixt Leasing. They followed two requirements:
- Sufficient usage by Sixt Leasing employees and projects.
- Existence of a Data Center compatible version.
A hybrid SSO setup: SAML-based authentication and REST user provisioning
When the time arrived for resolution’s Single Sign-On, this was the verdict:
- Atlassian’s native Data Center SAML SSO could replace user authentication…
- but it could not solve user provisioning.
TNG’s consultants started looking for an add-on that could provision users seamlessly.
Their recommendation was resolution’s User Sync. The app that integrates user directories of Atlassian applications and Identity Providers via REST API. No code needed.
Therefore, Sixt leasing implemented a solution:
- where Data Center native SAML SSO is used to authenticate users
- And User Sync is used to provision and de-provision users
Evaluating Atlassian’s Just in Time provisioning
In September 2020, Atlassian launched Just in Time user provisioning for its Data Center SAML SSO.
At this point, SIXT leasing reconsidered its SSO setup. They had the chance to drop User Sync and only use the built-in functionality instead.
The benefits were clear: lower costs, and a simpler implementation.
So why wasn’t User Sync dropped?
An approval process in perfect sync
Just in Time can’t update supervisor roles.
With User Sync, issue approvals are reliable at all times.
Every employee at Sixt Leasing is assigned a supervisor who is responsible for approvals.
The approval process is based on a scriptRunner workflow validation. Only the supervisor and the supervisor’s supervisor can approve an issue, i.e. perform a specific workflow transition.
Supervisor roles are stored in the external directory as a user attribute. Since they change frequently, they are only maintained on the Identity Provider. From there, they should propagate to several tools, including Jira.
Supervisor attributes are synchronized into Jira with User Sync.
That synchronization would have been impossible with Just in Time provisioning. JiT only updates the information of a user when they successfully login. The accuracy of the approval process would depend on whether the user logs in after his supervisor has changed.
IT management and TNG consultants agreed it was beneficial to stick to the initial design. User Sync provisions and updates users, and Data Center SAML SSO deals only with authentication.
As a result, Sixt Leasing can benefit from the advantages of the SSO functionality shipped with Data Center Applications, and enforce its approval processes in Jira at all times.
About Sixt Leasing
Sixt Leasing SE, a former subsidiary of Sixt SE, is one of Germany’s leading vehicle leasing providers with subsidiaries in Austria, Switzerland, France and the Netherlands. Independent from manufacturers and banks, Sixt GmbH & Co. Autovermietung KG provides full-service leasing solutions for corporate customers, as well as car rents for private and commercial customers through a convenient, fully configurable and cost-efficient online platform.
About TNG Tech Consulting
TNG Technology Consulting is an Atlassian Gold Solution Partner and Atlassian Marketplace Vendor. Their model is based on value-based consulting partnership focused on high end information technology with a service offering in agile software development, Artificial Intelligence, and DevOps and Cloud.