Atlassian Access and Azure AD configuration help with 2 Azure tenants

Rafael Tejero Palma October 1, 2021

Hi all, 

First of all, my experience with Azure AD is very limited and with Atlassian Access I have only been able to check the product general configuration and verify the synchronization of users and groups. Now our customer is asking us for a higher level of configuration with this scenario:

Imagen1.png

  • Initially the configuration was performed on a single domain. That is, a directory was created and domain 1 was claimed. Everything worked correctly
  • Currently domains 2 and 3 that exist in a second Azure AD tenant have been claimed and added to the directory. At this point users and groups have been synchronized in the organization's directory without problems
  • The three domains belong to three companies owned by the same parent company. Some users (like the one with the following error) have accounts on more than one domain.
  • Three domains are on Azure AD
  • After this configuration, one of the users cannot authenticate to Jira with this error:

Imagen2.png

Message (translated): "The selected user account does not exist in tenant "Tenant 1" so the application .... of this tenant cannot be accessed. To do this, it is first necessary to add the account as an external user in the tenant. Use another account."

The login was attempted using an account from domain 2 of tenant 2.

First of all we would need to understand why this error appears (if possible with the data included, and sorry for the limited knowledge of both products) and what would be the proper configuration to avoid this error: federated tenants, creation of a second directory in AA, create a second organization....

Any help will be very appreciated.

Thanks in advanced

Rafa

2 answers

1 accepted

2 votes
Answer accepted
Jayant Suneja
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 1, 2021

Hi Rafa,

Here it looks like you have 2 Azure tenants connected to the Atlassian organization for User provisioning i.e. to sync and provision Users and groups to Atlassian.

This is working fine as for User provisioning you just need to create a directory and use the directory API + token updated at Azure to configure the user provisioning.

When it comes to SSO authentication, the configuration at Atlassian organization includes the SSO URL of Azure AD. This is where the user will be re-directed when they try to log in to your Jira instance. As of today, you can not integrate Atlassian organization with multiple IDPs for SSO authentication hence the configuration will have only one SSO URL.

You can check this config under admin.atlassian.com --> Security --> SAML single sign-on.

The behavior you observe is expected as the user here is redirected to Tenant1 Azure based on the SSO URL you have configured and the user is not present in Tenant1. 

Regards,
Jayant

Rafael Tejero Palma October 1, 2021

Thank you very much Jayant.

I clearly see the problem. Now I have to find the best solution for this scenario. I gather from your answer that SSO through Jira configuration is not enough. Is there any plugin that we can value for this case? (user provisioning from Azure and SSO from other solution)

Any reference will be welcome

Many thanks again

Rafa.

Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 4, 2021

Unfortunately it's not possible to connect a single Atlassian organization to multiple identity providers (each tenant of Azure AD would be a different IdP) for SSO purposes at this time. This is on our roadmap though.

In the meantime, the workaround would be to maintain two separate organizations, but this would come with different drawbacks for user provisioning

Screen Shot 2021-10-04 at 1.33.38 PM.png

Like # people like this
Rafael Tejero Palma October 5, 2021

Many thanks Dave.

I hope that our customer accept this time frame as acceptable. We'll wait for this functionality.

Regards

Rafa.

0 votes
Emil Emilsson July 13, 2022

has this been implemented yet ? We really would need this feature for our domains

Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2022

No this hasn't been implemented. 

You just need to have two Atlassian Access subscriptions in two different organisations (logical distinction, equivalent to "tenant" in Azure) on Atlassian side. Your two (or 3) domains should be claimed separately in these different organisations.

Just like you have two "tenants" in Azure AD you will have two "organisations", with two user directories.

Emil Emilsson July 13, 2022

our scenario is like this : we have two domains in azure AD but we would like them to have SSO with one atlassian/jira subscription

 

is this implementable ? Can you show me examples ?

Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2022

If users from both domains can login into the *same* Azure tenant, then your scenario is *normal* comparing to the one above – in this case you just claim two domains in one Atlassian organisation, and integrate with Azure AD once.

Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2022

Please note, "jira subscription" has nothing to do with this. 

SAML SSO into Atlassian Cloud is Cloud-wide i.e. if the user from one of your domains wanted to go to my instance, they would still go through your Atlassian Access<->your Azure AD integration to be authenticated to Atlassian Cloud first, then based on their groups in my instance they will be or will not be given access.

Emil Emilsson July 13, 2022

Im pretty sure they are on different tenants in different subscriptions

Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2022

In this case the above use case (original) matches your case – you will need two subscriptions of Atlassian Access (only possible if you have two organisations in Atlassian Cloud), you will have to claim one domain per organisation, and configure SAML twice.

Again this is about authenticating these users to Atlassian Cloud. Once they are in – they can go to any instance they have been given access to, regardless of where they came from or how they authenticated.

Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2022

To put Cloud vs. Jira instance into perspective:

When you login into this very Community, you are using Atlassian Cloud user, but you are not in your Jira instance. Same for Atlassian University or Trello.

So once you configure your Access<->Azure AD connection, you will be using your Azure AD authentication to access all Atlassian services.

Emil Emilsson July 13, 2022

ok, so I need two subscriptions of both, but how does that work if we want them to be in one organization in atlassian ?

Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2022

Depends on what you mean by "one organization in atlassian".

a) if this is pure English sense as in "company" – then this is achieved by subscribing to these under the same Technical Contact account, and supplying the same name of the company (this is just a label really). You will see both subscriptions in my.atlassian, as two separate records. You will also get two bills, but since it's by user, the combined total will be the same to what it would have been if Atlassian allowed you to integrate with two Azure AD tenants from one Access.

b) if this is Atlassian sense as in "logical record in Atlassian database" – the answer is "it's not possible". Same as you have two tenants in Azure AD, you will have two "organizations" in Atlassian.

Emil Emilsson July 13, 2022

We are a city and basicly , have two domains as it is now, one for the schools and another for administration of the city itself.

And we are thinking about using AD to control access and allow both domains access to the same jira resources.

Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2022

Emil,

There are some things you have to get right even with one domain and one tenant. See these answers of mine for examples: 

In your case, to have it all work at least somewhat automagically you will also need to configure Azure AD side correctly in terms of groups, and as Dave Meyer from Atlassian alluded above (but didn't elaborate!) – this won't be perfect for one of the two orgs (only works perfectly when Jira instance belongs to the same organisation as Access) 

I would seriously suggest you look up a Solution Partner nearby https://partnerdirectory.atlassian.com/

That is unless you want to deal with us, TechTime – Platinum Atlassian Solution Partner with Cloud Specialisation in New Zealand.

You are a city, and I am a business :)

We can definitely help, but it won't be for free. Reach out to our 24x7 support if you have questions.

Like Emil Emilsson likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events