Hi @Kal

Okta SSO works like a standard SAML provider, so the SAML SSO for Jira Data Center applications guide applies here.

To address your questions:

Will Application Access work the same as it does now? We can only grant new AD groups application access after the crows sync completes - Will this change once we setup OKTA SSO? How do we grant application access after moving to SSO?

From my understanding, your current directory flow is: Active Directory -> Atlassian Crowd -> Jira DC.

Assuming you retain this directory configuration, nothing will change. Jira will still rely on Crowd group membership, which originates in AD. Any user that has the jira-software-users or jira-servicedesk-users group (or another group defined in the application access admin page) membership can log in to the respective Jira application.

The bundled Jira SSO app allows for just-in-time (JIT) user provisioning. JIT user provisioning automatically adds users to (or updates attributes/membership in) Jira's internal directory during SAML login. A downside to JIT is that users aren't automatically removed from Jira's internal directory when removed the SAML IdP. If you decide to use JIT, you would want to remove your external user directory from Jira.

Where can I confirm that the identity created within Jira by the AD/LDAP sync aligns with the identity provided by OKTA from OIDC or SAML? We need to know if these match and if so on what do they match on (i.e email)?

The username mapping setting on the Jira SSO configuration page allows you to specify which IdP attribute maps to the account username. You should use the attribute that Okta links to your AD sAMAccountNames or UPN.

Please let me know if this answers your question!

Thanks,
Ben