My company currently has an organization setup for Atlassian we have about 357 users that have standard Atlassian credentials. Those 357 users have emails that are associated with our company domain, meaning when they login they use an email like this: <firstname_lastname>@companydomain.com. We are currently using Jira, Confluence, and Jira Service Desk. We are going to also be adding Bitbucket very soon.
We are looking to use Atlassian Access to leverage SSO using AzureAD as our identity provider. Based on reading the docs the steps to get these users to be managed by Atlassian Access are:
1. Verify our domain
2. Create the AzureAD application for Atlassian
3. Assign relevant users to the Atlassian application in AzureAD
4. Configure the SAML SSO to sync users from AzureAD
As we make this transition I want to ensure that we don't have any disruption for the users that will be managed from AzureAD. I have a few questions about how this will work and what the experience will be for the existing users.
My questions are:
1. Once we verify our domain then any users with an email of @companydomain.com will be considered managed users, but until we enable SAML they will be able to continue logging in using their already provisioned Atlassian credentials. Is this correct?
2. If we add all existing users on @companydomain.com to the Atlassian application in AzureAD, then they will be able to login to Atlassian using their AD credentials. Is this correct?
3. Once the users are being managed through AzureAD via SAML will they be assigned to all the same groups and applications in Atlassian that they were before? Or do we have to re-assign groups and access after they are being managed through AzureAD?
ex) email@example.com currently logs in using Atlassian credentials and has access to various projects in Jira and has access to confluence. Once we switch over to AzureAD and firstname.lastname@example.org logs in using AD credentials will email@example.com continue to have access to everything he had access to before without any extra administrative steps?
4. Will all the user mentions for a user still be relevant and intact once we switch them over to Azure AD?
5. If something goes wrong and we need to turn SAML and SSO off will all users be able to continue using their Atlassian credentials as they did before?
6. Any user that has a login email that is not on our company domain for example: firstname.lastname@example.org will be able to continue using their Atlassian credentials. Is this correct?
Thanks in advance for any assistance.
Hi @Thomas Bell,
I'll do my best to answer your questions based on our own experiences.
#1 - Yes, until you setup SAML all you will have done is claimed the accounts but authentication will not have changed yet.
#2 - Assuming you have setup and configured SAML for SSO access then yes this is exactly how this will function.
#3 - I answered a similar question to this one here: https://community.atlassian.com/t5/Atlassian-Access-questions/If-Access-is-turned-off-will-it-impact-projects/qaq-p/1303127
the short answer is you are simply changing the authentication method not the groups and permission structure, so you won't need to change anything here for existing users.
#4 - Yes, this won't have any affect on existing user mentions, and new user mentions should work exactly the same as before you set this up.
#5 - Yes, refer to the document here for more information: https://confluence.atlassian.com/cloud/unsubscribe-from-atlassian-access-948237308.html
#6 - This one I have not had to deal with personally, but according to here: https://community.atlassian.com/t5/Atlassian-Access-questions/Is-it-possible-to-use-a-mix-of-Atlassian-and-SAML-accounts/qaq-p/826585, it looks like this is also possible.
I hope that helps!
Yes just to confirm, if you have users that have access to your Jira or Confluence site but are external (i.e. not on one of your verified domains), nothing will change for them. They'll still have access to your site as usual and they will still log in as they did before.
@Dave Meyer hope i can follow up - to be sure, its mentioned that groups and permissions dont change since only the authentication changes.
does that hold true for assignees? meaning if user x is logging in not using atlassian access and is now assigned an issue, and now logging in with atlassian access, are they still the assignee? or does the user itself change since its coming from another source?
Hey @Ben ,
Nothing to worry about. The same user will still be assigned the issue. Think about it this way:
Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events