SSO-Only Login Option for External Users on Atlassian Cloud?

Hi everyone,

I’m currently working on integrating Auth0 as our identity provider for Atlassian Cloud, using Atlassian Access with SCIM provisioning. For our internal users—whose email addresses belong to our verified domain—the login experience is seamless. Their email is recognized during the login process, and SAML SSO kicks in automatically.

However, I am facing a challenge with external users who use email addresses outside our managed domain. Although their accounts are provisioned automatically via SCIM, these users receive an Atlassian invitation email, prompting them to activate their account with a password. This flow not only causes confusion but also detracts from the streamlined SSO experience we’re aiming for.

In Atlassian Data Center, we had the flexibility to redirect the entire login process (of a specific site/product) to our identity provider (Auth0), ensuring that even users with external emails could log in via SSO.

My questions are:

• Is there any way in Atlassian Cloud to enforce a complete SSO-only flow for users even if their email address is not part of the verified domain?

• Are there any workarounds or best practices for automatically creating and logging in these external users via SSO without them having to go through the standard invitation process?

To summarize:

1. I would like my external users to avoid having to create two accounts when they join our organization. They already receive our IdP invitation to set their password. The Atlassian Cloud invitation email is confusing, it should prompt the user to create an account, not to log in.
2. All I am asking is to have a "login via SSO" button option when users are trying to access our Atlassian Cloud products.

Thanks in advance for your help.