Manual administration

No setup.

Does not scale well in terms of administrator work load.

Can be error-prone.

Duplicate admin work (user accounts must be manually maintained both at the identity provider and within the Atlassian application)

Active directory or LDAP sync

Built into Atlassian product.

Easy integration with any LDAP capable directory.

Usually best option in on-prem environments.

Limited or no support for cloud environments. While some vendors do provide LDAP adapters, they can be cumbersome to use.

Just-in-time

Works with any IDP.

Technically simple: Users are created and updated from data passed through the browser, meaning no additional network dependencies.

Scales to “infinite” directory sizes.

Does not remove inactive users.

Group provisioning/claims can be difficult to configure on some IDPs.

Users are able to set their own local passwords in the Atlassian application.

API Connector

Ability to create, update and delete users automatically

Can be combined with local groups

Express filters and transformations within the Atlassian applications.

Synchronization/snapshot based, so does not scale to very large directory sizes/companies (at a certain point, sync passes simply become too slow).

Has to be specifically implemented for each IDP. Currently only supported for Azure AD, Google GSuite, and Okta.

API Connectors does not support nested groups.

SCIM

In principle; works with any SCIMv2 compliant IDP.

Scales to any directory size.

SCIM also supports nested groups.

Requires inbound access to the Atlassian application. This has security implications/considerations. It also means more parts of the organization may need to be involved (networking/firewall etc).

Works best in the presence of failover, i.e. Atlassian Datacenter.

Some IDPs don’t provide SCIM at the basic subscription tiers. For example, a Platinum subscription is required for Azure AD.