Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Atlassian Access & Azure AD SSO / Provisioning with different UPN Name & E-Mail Adress not possible?

Constantin Lotz
Constantin Lotz Dec 15, 2022

Hi there,

 

i've an azure ad tenant withe the following user layout:

User principle Name = ShortName@internal-domain.de
E-Mail Adress = Surname.Lastname@external-domain.de

So our logon name at M365 is always the upnname (ShortName@internal-domain.de).

We've setup the SSO Connection, authentication works within Atlassion. When entering ShortName@interna-domain.de as username we'll be redirected to M365 login. But the user mapping is not correct.

Within Atlassion the User will be created with the upnname and the same value will be the e-mail address value. But I expect the real E-Mail Address to be that value which is the user.mail Attribute within Azure.

2022-12-15 10_53_36-Window.png

I think the problem is, that atlassian only handles the e-mail adress as uniqued identifier, right? But we would like to have the same logon names for all systems, and the email adress must be different that way.

When i simply switch the Unique User Identifier mapping value to user.mail I'm not able to get a correct redirect to M365 when trying to login with Surname.Lastname@external-domain.de

Anyone else with those problems?

Kind regards,

Constantin

Answer
Watch
Like Be the first to like this
698 views

1 answer

1 accepted

1 vote
Answer accepted
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Dec 17, 2022

Hello, @Constantin Lotz 

1) Yes, Atlassian keys everything by email. To be precise – regardless of what is specified in the mapping, i.e. one would think that as per your screenshot the unique identifier is the UPN, but no it's completely ignored, and it's the email that is being used to identify the user.

2) With the configuration in your screenshot the users should be created with emails from the external domains, despite them entering the UPN to trigger the redirect, and logging into Azure with UPN.

Is this not working?

With configuration as per your screenshot, this statement is not correct:

Within Atlassion the User will be created with the upnname and the same value will be the e-mail address value.

3) The triggering to SAML flow happens based on the claimed domains. For you to be able to enter the email with the external domain and be redirected – you need to claim that domain too in Atlassian.

What you then use to actually login into Azure is irrelevant – as soon as you are authenticated the attributes will be sent as per the mapping in your screenshot. If you claim both domains – users will be able to enter either UPN or the email at Atlassian front-door.

View More Comments
Constantin Lotz
Constantin Lotz Jan 08, 2023

Ok thanks a lot, i guess it was the thing that we have to claim both domains :-)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

See all events