Existing Users When Moving to Atlassian Access and SSO

Thomas Bell February 22, 2020

My company currently has an organization setup for Atlassian we have about 357 users that have standard Atlassian credentials. Those 357 users have emails that are associated with our company domain, meaning when they login they use an email like this: <firstname_lastname>@companydomain.com. We are currently using Jira, Confluence, and Jira Service Desk. We are going to also be adding Bitbucket very soon.

We are looking to use Atlassian Access to leverage SSO using AzureAD as our identity provider. Based on reading the docs the steps to get these users to be managed by Atlassian Access are:

1. Verify our domain

2. Create the AzureAD application for Atlassian

3. Assign relevant users to the Atlassian application in AzureAD

4. Configure the SAML SSO to sync users from AzureAD

As we make this transition I want to ensure that we don't have any disruption for the users that will be managed from AzureAD. I have a few questions about how this will work and what the experience will be for the existing users.

My questions are:

1. Once we verify our domain then any users with an email of @companydomain.com will be considered managed users, but until we enable SAML they will be able to continue logging in using their already provisioned Atlassian credentials. Is this correct?

2. If we add all existing users on @companydomain.com to the Atlassian application in AzureAD, then they will be able to login to Atlassian using their AD credentials. Is this correct?

3. Once the users are being managed through AzureAD via SAML will they be assigned to all the same groups and applications in Atlassian that they were before? Or do we have to re-assign groups and access after they are being managed through AzureAD?

ex) john_doe@companydomain.com currently logs in using Atlassian credentials and has access to various projects in Jira and has access to confluence. Once we switch over to AzureAD and john_doe@companydomain.com logs in using AD credentials will john_doe@companydomain.com continue to have access to everything he had access to before without any extra administrative steps?

4. Will all the user mentions for a user still be relevant and intact once we switch them over to Azure AD?

5. If something goes wrong and we need to turn SAML and SSO off will all users be able to continue using their Atlassian credentials as they did before?

6. Any user that has a login email that is not on our company domain for example: jane_doe@someothercompany.com will be able to continue  using their Atlassian credentials. Is this correct?

Thanks in advance for any assistance. 

 

 

1 answer

0 votes
Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
February 24, 2020

Hi @Thomas Bell,

I'll do my best to answer your questions based on our own experiences.

#1 - Yes, until you setup SAML all you will have done is claimed the accounts but authentication will not have changed yet.

#2 - Assuming you have setup and configured SAML for SSO access then yes this is exactly how this will function.

#3 - I answered a similar question to this one here: https://community.atlassian.com/t5/Atlassian-Access-questions/If-Access-is-turned-off-will-it-impact-projects/qaq-p/1303127

the short answer is you are simply changing the authentication method not the groups and permission structure, so you won't need to change anything here for existing users. 

#4 - Yes, this won't have any affect on existing user mentions, and new user mentions should work exactly the same as before you set this up.

#5 - Yes, refer to the document here for more information: https://confluence.atlassian.com/cloud/unsubscribe-from-atlassian-access-948237308.html

#6 - This one I have not had to deal with personally, but according to here: https://community.atlassian.com/t5/Atlassian-Access-questions/Is-it-possible-to-use-a-mix-of-Atlassian-and-SAML-accounts/qaq-p/826585, it looks like this is also possible.

I hope that helps!

-Jimmy

Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 25, 2020

Yes just to confirm, if you have users that have access to your Jira or Confluence site but are external (i.e. not on one of your verified domains), nothing will change for them. They'll still have access to your site as usual and they will still log in as they did before. 

Like # people like this
Ben July 5, 2021

@Dave Meyer  hope i can follow up - to be sure, its mentioned that groups and permissions dont change since only the authentication changes. 

does that hold true for assignees? meaning if user x is logging in not using atlassian access and is now assigned an issue, and now logging in with atlassian access, are they still the assignee? or does the user itself change since its coming from another source?

Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 6, 2021

Hey @Ben ,

Nothing to worry about. The same user will still be assigned the issue. Think about it this way:

  1. Fred is a user who has an Atlassian account where he logs in with his email address and password. He is assigned an issue.
  2. Under the covers, the value of the "Assignee" field for that issue is populated with his unique Atlassian account ID. (n.b. you can actually see this if you look at the REST API)
  3. Fred's admin subscribes to Atlassian Access and enables SSO.
  4. Now, when Fred goes to log in to his account, instead of entering his email address and password, he's redirected to his SSO provider to authenticate.
  5. But the issue assignee value never changes in Jira, because Fred still has the same Atlassian account. The only thing that's changed is the authentication mechanism for the account.
Like # people like this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events