Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,300,977
Community Members
 
Community Events
165
Community Groups

Atlassian Access and Azure AD configuration help with 2 Azure tenants

Hi all, 

First of all, my experience with Azure AD is very limited and with Atlassian Access I have only been able to check the product general configuration and verify the synchronization of users and groups. Now our customer is asking us for a higher level of configuration with this scenario:

Imagen1.png

  • Initially the configuration was performed on a single domain. That is, a directory was created and domain 1 was claimed. Everything worked correctly
  • Currently domains 2 and 3 that exist in a second Azure AD tenant have been claimed and added to the directory. At this point users and groups have been synchronized in the organization's directory without problems
  • The three domains belong to three companies owned by the same parent company. Some users (like the one with the following error) have accounts on more than one domain.
  • Three domains are on Azure AD
  • After this configuration, one of the users cannot authenticate to Jira with this error:

Imagen2.png

Message (translated): "The selected user account does not exist in tenant "Tenant 1" so the application .... of this tenant cannot be accessed. To do this, it is first necessary to add the account as an external user in the tenant. Use another account."

The login was attempted using an account from domain 2 of tenant 2.

First of all we would need to understand why this error appears (if possible with the data included, and sorry for the limited knowledge of both products) and what would be the proper configuration to avoid this error: federated tenants, creation of a second directory in AA, create a second organization....

Any help will be very appreciated.

Thanks in advanced

Rafa

1 answer

1 accepted

2 votes
Answer accepted

Hi Rafa,

Here it looks like you have 2 Azure tenants connected to the Atlassian organization for User provisioning i.e. to sync and provision Users and groups to Atlassian.

This is working fine as for User provisioning you just need to create a directory and use the directory API + token updated at Azure to configure the user provisioning.

When it comes to SSO authentication, the configuration at Atlassian organization includes the SSO URL of Azure AD. This is where the user will be re-directed when they try to log in to your Jira instance. As of today, you can not integrate Atlassian organization with multiple IDPs for SSO authentication hence the configuration will have only one SSO URL.

You can check this config under admin.atlassian.com --> Security --> SAML single sign-on.

The behavior you observe is expected as the user here is redirected to Tenant1 Azure based on the SSO URL you have configured and the user is not present in Tenant1. 

Regards,
Jayant

Thank you very much Jayant.

I clearly see the problem. Now I have to find the best solution for this scenario. I gather from your answer that SSO through Jira configuration is not enough. Is there any plugin that we can value for this case? (user provisioning from Azure and SSO from other solution)

Any reference will be welcome

Many thanks again

Rafa.

Dave Meyer Atlassian Team Oct 04, 2021

Unfortunately it's not possible to connect a single Atlassian organization to multiple identity providers (each tenant of Azure AD would be a different IdP) for SSO purposes at this time. This is on our roadmap though.

In the meantime, the workaround would be to maintain two separate organizations, but this would come with different drawbacks for user provisioning

Screen Shot 2021-10-04 at 1.33.38 PM.png

Like # people like this

Many thanks Dave.

I hope that our customer accept this time frame as acceptable. We'll wait for this functionality.

Regards

Rafa.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

Atlassian Access Demo Q&A Recap

Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...

1,172 views 4 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you