Our plugin supports the automatic creation of new users in Jira/Confluence/Bitbucket as well as the synchronization of groups for existing users. To enable both features, see the respective configuration settings Create User on Login and Update Group Memberships on Login (→ Setup & Configuration).
For the creation of new users on authentication the plugin uses the username, email and full name given by the OpenID-connect provider in the preferred_username, email and name claims of the ID token. The groups are synchronised according to the Custom Groups Claim option. For Keycloak the client roles assigned to the user (→ Keycloak documentation on client roles) are used by default. This claim is used for the group assignments on the initial user creation as well. If you plan on using user creation or group membership synchronisation make sure to set up the claim in the access token before enabling these options.
Setting up Client Roles
Using other Access Token claims
In the Groups Settings tab of the plugin configuration you can specify other claims in the access token to be used for group synchronisation. In Keycloak this enables you to use client roles of other clients as well as realm roles as groups. You can also set up custom mappers to populate access token claims.
For other OpenID Connect providers claim to set as Custom Groups Claim depends on the provider. In order for this option to be available the provider has to serve JWT access tokens. Then any string array claim can be used as group membership list.
Synchronisation of the administrator groups
The administrator groups jira-administrators and confluence-administrators can be synchronized to Jira/Confluence like any other group. But if a user in either of these groups tries to change system settings or manage users, they will usually be prompted for a password. This additional security mechanism is called WebSudo. This can cause problems in setups where new administrators are created by the plugin. See Troubleshooting → Additional Authentication required for Administrators for more information.