Jira Cloud User Provisioning (SCIM) for Keycloak

User Sync & Group Sync app sync user and group information from Keycloak to Jira Cloud. This way the administrator only needs to manage user accounts in Keycloak. This reduces the administration time required to create users and groups in Atlassian modules such as Jira Cloud.

Download And Installation



  • Log into your atlassian instance as admin.
  • Navigate to the settings menu and Click Manage Apps.
  • Click on Find new apps .
  • Locate miniOrange User and Group Sync app.
  • Click Try free to begin a new trial or Buy now to purchase a license.
  • Enter your information and click Generate license when redirected to MyAtlassian.
  • Click Apply license.

Step 1: Setup Keycloak

  • First of all, login to your Keycloak dashboard.
  • Click on Clients from the left sidebar and Create new clients.
    • User and gruop provisioning in Jira, Confluence, Bitbucket Clients Sidebar User and group provisioning in Jira, Confluence, Bitbucket Client Create
  • Enter a name as the Client id and select Client Protocol as open id connect.
    • User and group provisioning in Jira, Confluence, Bitbucket
  • Now, you will see the Settings page of the created client.
    • User and gruop provisioning in Jira, Confluence, Bitbucket Settings tab
  • Here, select Access Type as confidential . Make sure the options Standard Flow Enabled, Direct Access Grants Enabled, Service Accounts Enabled and Authorization Enabled options are turned on.
  • Also, against Valid redirect URIs put your Jira base URL. And then click on SAVE.
  • After saving, go to the Credentials tab on top. Save the client secret from here.
    • User and group provisioning in Jira, Confluence, Bitbucket Credentials tab
  • Now go to Roles from the top menu and select uma_protection.
    • User and gruop provisioning in Jira, Confluence, Bitbucket Roles tab
  • Under uma_protection, turn on Composite Roles and transfer all the Realm roles from Available Roles to Associated Roles.
  • Go to the Service account roles -> select "realm-management" and add the below highlighted scopes
    • User and gruop provisioning in Jira, Confluence, Bitbucket Roles tab

Step 2: Configure API token

2.1: User Sync

  • Setup API Token by clicking Configure API Token button.
  • Enter your Admin Email
  • Generate your own API token. Please refer this document here .
  • Please enter Application Name and click on Submit button. Copy the SCIM Base URL and SCIM Bearer Token, these will be used later to configure SCIM application on miniOrange IDP.

    • Jira Cloud SCIM

Step 3: Provisioning Operations

  • Enable Import Users option to create users automatically if they do not exist in Jira.
  • Enable Import Groups option to create groups automatically if they do not exist in Jira.
    • User and gruop provisioning in Jira, Confluence, Bitbucket Select Provider
  • Click on Submit.

Step 4: Multiple IDPs

  • The plugin allows for configuring multiple IDPs on your SP to accommodate your specific use case. To add another IDP, simply navigate to the "Configured IDPs" section.
    • Jira Cloud SCIM

Recommended Add-Ons

Two Factor Authentication

Enable 2FA/MFA for users & groups and let users configure 2FA during their first login.

Know More

Jira SAML SSO

Jira SAML SSO application enables SSO for Jira Software and Jira Service Desk.

Know More

Jira OAuth/OIDC SSO

Secure your Jira Service Management with OAuth/OpenID Connect SSO.

Know More


Free Trial

If you don't find what you are looking for, please contact us at support-atlassian@miniorange.atlassian.net or raise a support ticket here.