With Just-in-Time (JIT) provisioning, you can use SAML assertions or OpenID Connect user info endpoints to create and update Atlassian users accounts on the fly when they log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization, you don't need to manually create the user in Atlassian application. When they log in with single sign-on, their account is automatically created for them, eliminating the time and effort with on-boarding the account. Just-in-Time provisioning works with any writable user directory (Internal directories, Delegated LDAP, and Atlassian Crowd).
Admins can specify whether users should be created, updated and activated and also specify which user directory to work against in the JIT configuration page in the Kantega SSO Enterprise app.
Group memberships can also be set applied during SAML and OpenID Connect login, and as an admin you can both specify default group - and managed groups.
Default groups are a static set of groups that all users logging will be assigned to when they log in through a specific identity provider will be assigned to.
Managed groups, on the other hand, is group memberships that uses membership claims included by the identity provider Managed groupsin the SAML response or OIDC token.