I'm gradually moving our Atlassian users to Google SSO. So when they click on the Atlassian login URL, they have the option of clicking to use their Google account. That's great.
But can I also block them from using their old Atlassian account's password? I want them to only be able to get into Atlassian from their Google account. That way, by suspending or deleting their Google account (departing user), they would not be able to access their Atlassian account either.
Hey Jeff, welcome to the Community!
Glad to hear you're getting configured with SSO. According to our documentation, users who are managed via G Suite will be directed to a G Suite login after they enter their email address on the login page and click Continue.
I think this addresses your need as users managed through G Suite don't get the opportunity to use a password with Atlassian ID. Disabling the account in G Suite will disable the account in Atlassian ID as well (during the next sync, and assuming the account is still in a synced group).
Hi @Jeff Mooallem ,
What you are asking for is exactly what was tracked in the below Feature Request:
As you can see, the above ticket is marked as resolved and you can find all the details in the panel added to the top of the ticket description.
Also, as written in the Deactivate or delete managed accounts documentation page:
If an organization admin deactivates a user’s account, the user’s personal data will remain in Atlassian account services, and the admin can reactivate their account at any time.
If an organization admin deletes a user’s account, we’ll delete the user’s personal data from Atlassian account services, and no one will be able to reactivate their account.
An organization admin can delete a previously deactivated account if they decide to later.
Let me know if you have further questions on this topic.
If I correctly understand this process in the documentation and enable it from the G-Suite SAML setup for Atlassian, we must subscribe to Atlassian Access in order to have G-Suite manage Atlassian access. We do not subscribe to Access at this time so that means we cannot implement this. Is that correct?
On the other hand, when I turned on G-Suite user sync in Atlassian User Management (and not use G-Suite SAML), that seems to work but they still have the Atlassian password available and can bypass Google 2FA.
In other words, I see two places to set up SSO: G-Suite user sync from Atlassian User Management, and SAML for Atlassian from G-Suite Admin. The first works but still allows the user to login with the Atlassian password, and the second requires Atlassian Access.
Thanks for any advice on this.
Hi @Jeff Mooallem ,
In order to clarify, the behavior you are describing in below sentence should not be possible:
when I turned on G-Suite user sync in Atlassian User Management (and not use G-Suite SAML), that seems to work but they still have the Atlassian password available and can bypass Google 2FA.
As already written by @Daniel Eads , if you have Google Sync configured in your Jira instance (with or without Atlassian Access) then all the users belonging to you Google domain will always be redirected to log-in using Google. Only the other users, the one not belonging to the configured Google domain (if any), will be able to log-in using their Atlassian Account password.
Can you kindly double check this?
If you are experiencing a different behavior, please let us know and we can open a support request on your behalf to have this issue further investigated. You can also open the support request yourself by going to: https://support.atlassian.com/contact