Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,560,573
Community Members
 
Community Events
185
Community Groups

Migrating to SAML. Test environment, and user logout questions.

Harry Sheppard
Harry Sheppard Jul 31, 2019

Hi Everyone,

 

I am looking to migrate my organisation to use SAML single sign on, specifically with Azure AD, and have some a couple questions about the process.

One, is is possible to have some test environment, to ensure that SAML is working correctly, without affecting my users logins? Since Atlassian Access is configured organisation wide, I can't create a separate site to test in, can I?

Two, since user sessions will persist through the migration to SAML (as far as I have gathered from the documentation), will I need to have my users log out, then log back in before I would be able to manage their access through my identity provider (Azure AD)? If a user hasn't logged in with SAML, I would think that their session is not associated with their account on the ID provider. Or is the ability to disable users from the ID provider only available once I set up user provisioning?

 

Cheers,

Harry

Answer
Watch
Like Be the first to like this
611 views

2 answers

2 accepted

1 vote
Answer accepted
Narmada Jayasankar
Narmada Jayasankar
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Aug 08, 2019 • edited

Hi Harry,

Following up on the second half of your question - setting up SAML will not terminate existing user sessions. SAML SSO will kick in when the user logs out and logs back in. At that time, if the user is disabled in the IDP, the log-in attempt will be rejected. If you want access to be revoked immediately after the user is disabled in the IDP, user provisioning via SCIM is what you need. Let me know if this answers your question.

Best,

Narmada

View More Comments
Harry Sheppard
Harry Sheppard Aug 08, 2019 • edited

Hi Narmada,

Not everyone in my company needs an Atlassian account, so would it be possible to set up SCIM to allow me revoke access immediately via the IDP, but not actually provision new users if they log in with an email on my verified domain?

If this isn't possible, then is there a way to force log out a user as an admin?

Cheers,

Harry

Like
Harry Sheppard
Harry Sheppard Aug 08, 2019

It looks like this is possible by controlling the "app assignments" in Azure AD, so that's all I need to know. Thank you for your help.

Like
Reply
1 vote
Answer accepted
Dave Meyer
Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Aug 08, 2019

Hi Harry,

Apologies for the delay in getting back to you. Yes, you’re correct that creating a separate test site won’t have any effect since SAML is configured for your organization based on n the domains that you have claimed. Our recommended method for testing is to verify a test domain for your organization, like “test.yourdomain.com” and create a couple users in Azure AD with emails on that domain. Then go ahead and configure SAML with Azure AD and you can test it out with those users. Once you’re satisfied, you can go ahead and verify your production domain and the SAML settings will automatically apply to all users on your production domain, across all sites they access.

I will check with our team about your question on sessions.

Cheers,

Dave

View More Comments
Harry Sheppard
Harry Sheppard Aug 08, 2019

Using another domain to test will help, thank you for the suggestion.

I look forward to hearing back from you about user sessions.

Like
DevOps-Tally_
DevOps-Tally_ Sep 04, 2019

Hey,

 

I was looking forward for a same solution. Having Azure Ad SAML. Any document that can help me setting this up please?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

See all events