SCIM Integration with Google Workspace (new)

Owned by Yuriy Shpek
Last updated: Jul 08, 2023

Here is a quick demo of how it works with Google as IdP.

Google Workspace SAML SCIM is a system for cross-domain identity management (SCIM) integration that creates automated user provisioning. You can then authorize, create, modify, or delete a user's identity in Google Workspace. Google supports automated SCIM user provisioning with the different cloud applications.

The procedure for creating an integration includes the following main steps:

  1. Set up SSO, using Google as IdP for your app. 

  2. Set up auto-provisioning for the app.

We are not using SSO here, so the corresponding settings will be mock (default), only for tests. In our case we will use SAML for the Atlassian Cloud application.

1. Set up Google as a SAML identity provider (IdP)

  1. Login to Google Workspace Admin Console with a super administrator account.

  2. In the Admin console, go to Menu > Apps > Web and mobile apps.

  3. Click Add app

  1. Enter Atlassian Cloud in the search field.

  2. In the search results, hover over the Atlassian Cloud SAML app and click Select.

  1. On the Google Identity Provider details page click Continue (as we mentioned above, in this case we are not interested the SSO configuration, skip it).

  1. On the Service provider details page, similarly leave the values as they are, click Continue.

  2. On the Attribute Mapping page, click the Select field menu and map the following Google directory fields to their corresponding Atlassian attributes.

  3. Click Finish.

2. Set up autoprovisioning for the Atlassian application

  1. In the Admin console, go to Menu > Apps > Web and mobile apps.

  2. Click the Atlassian Cloud application.

  3. In the Autoprovisioning section, click Configure autoprovisioning.

  1. Before proceeding, we need to get parameter values from the target Atlassian app that points Google to your SCIM API server (service provider). So, get SCIM API URL and Bearer token on the Jira/Confluence/Bitbucket side, for example:

  1. Enter the API key you received from Atlassian Cloud.

  2. Click Continue.

  1. Paste the endpoint URL you copied from Atlassian Cloud that contains your unique ID.

  2. Click Continue.

  1. Verify that all mandatory Atlassian Cloud attributes (those marked with an *) are mapped to Google Cloud Directory attributes. If not, click the Down arrow  and map to the appropriate attribute. We leave the values as they are:

  1. Click Continue.

  2.  (Optional) Restrict provisioning to specific groups. If necessary, add more groups and choose a scope:

  1. Сlick Continue.

  2. Choose how long deprovisioning actions should be delayed before taking effect. We leave the values as they are:

  1. Click Finish.

  2. In the Auto-provisioning section, we need to click the activation slider but the activation slider is disabled if Atlassian Cloud isn’t turned on for any users. Click User access and turn the app on to enable the slider:

  1. So, now we able to click the activation slider:

  1. In the confirmation dialog box, click Turn on.

  1. Autoprovisioning is Active now. Once provisioning is on, Google starts collecting usage information. You'll see the usage information in the Auto-provisioning section. There won't be any numbers next to the event names until you enable provisioning.

    The following event names provide the usage information for the last 30 days:

    • Users created

    • Users suspended

    • Users deleted

    • Failures

3. Check the Jira (Confluence/Bitbucket) info

  1. Jira Users:

  1. Plugin’s Audit Log. Here we can see requests coming from Google:

  1. Let’s delete one user in Google Workspace. After a while we can see changes in the application:

So, deprovisioning works correctly.