With Just-in-Time (JIT) provisioning, you can use SAML assertions or OpenID Connect user info endpoints to create and update Atlassian users accounts on the fly when they log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization, you don't need to manually create the user in Atlassian application. When they log in with single sign-on, their account is automatically created for them, eliminating the time and effort with on-boarding the account. Just-in-Time provisioning works with any writable user directory (Internal directories, Delegated LDAP, and Atlassian Crowd, and Active Directory).

JIT with Active Directory is only supported by Jira and Confluence, the user name attribute must be sAMAccountName, and the maxiumum username lenght is 20 characters long.

Admins can specify whether users should be created, updated and activated and also specify which user directory to work against in the JIT configuration page in the Kantega SSO Enterprise app.

...

...

The switch “Activate inactive users” works well in combination with https://kantega-sso.atlassian.net/l/cp/Hn4RUVow to reduce how many active users are in your Atlassian product.

Group memberships

Group memberships can be applied during SAML and OpenID Connect login, and as an admin you can both specify default-, auto created and managed groups.

...

Managed groups, on the other hand, uses membership claims included by the identity provider in the SAML response or OIDC token and synchronizes only the groups you have specifically configured.

See more details on how https://kantega-sso.atlassian.net/l/cp/zDDRo0Ya are configured here