Collaborate more securely by enforcing single sign-on for external users: now generally available!

We are excited to announce the general availability (GA) of single sign-on (SSO) step-up verification for external users. It is now available within the external user security feature to all customers with a subscription to Atlassian Guard. Learn more about Atlassian Guard.

8149a13c-60ff-4faa-92a2-c1e1ccc253e9.png

External user security enables you to apply security controls to users who collaborate with your company but who you don’t manage in your Atlassian organization such as contractors or collaborators from other companies. In admin hub, you can set a variety of controls for external users including:

  • Enforce two-step verification: An extra security step is enforced when external users try to access your organization’s Atlassian products.

    • Single sign-on (SSO) verification (NEW): Use SSO as the two-step verification method. External users are required to verify their identity against a specified connected identity provider via SSO.

    • Email one-time passcode verification: Use email-OTP as the two-step verification method. External users are required to verify their identity by entering a temporary one-time password sent to their email address.

  • Session duration: Specify how long sessions last for external users and how often they need to re-verify. Set session durations between every 15 minutes to every 30 days.

  • API token access: When you block API token access for external users, they are unable to use API tokens to access the products through product APIs. Learn more about API tokens.

 

Before rolling these external user controls to all users, you can test various settings using the test policy with up to five users. You can find a video demonstration of the external user security SSO two-step verification here.

 

With the addition of this feature we are giving customers the ability to enforce the same level of security across both their managed and external users. For more details on how to setup SSO verification for external users and the Atlassian Guard billing implications of the feature please review these sources:

 


 

The GA experience has just started rolling out so you can expect to see this feature in Atlassian Administration (admin.atlassian.com) within the next two weeks.

In response to customer feedback, we are also investigating multiple external user policies enforcement as a future capability for the external user security feature.

If you previously used external user security during the early access program, thank you for being a part of bringing this feature to life! And if you’re new to external user security, we hope you find it valuable to securely collaborate with your external teammates. Learn more about the feature in our support documentation.

Have questions or feedback? Please leave a comment below.

 

4 comments

Jan-Cees van Buiten September 16, 2024

Good to hear this will be available soon, David! I have a question. We use Entra ID (Azure AD) as IDP for our managed users. In order to be able to login, the managed user has to belong to a specific AD group. This AD group is synced to Jira. This group has "User access" in Jira.

I was wondering if I can do the same now for external users.

When I give an external user access in/to Jira, he will be added to default access group, "jira-users", which is not synced with our Entra ID.

When we use this new functionality for external users, and I create a new AD group and configure this also as an access group in Jira, would I then be able to manage the external user by adding/removing him from this AD group, just as I do now with our managed users?

I am asking this because I'd rather completely manage the user access to Jira in Entra ID.

 

Like # people like this
M Amine
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 18, 2024

Thank you for sharing this announcement.

David Olive
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 18, 2024

Hi @Jan-Cees van Buiten 

User provisioning from an IDP does work with externals, you can see more info here. With external users they will go through SSO and validate against your IDP then their product access will checked and they will be blocked or allowed through based on their access.

Hope that helps!


Like Jonathan likes this
Jan-Cees van Buiten September 19, 2024

Thanks for the response @David Olive, we'll try to add these external users then.

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events