Due to a corporate merger, we will be moving from our current Google G Suite organziation to a new one. Today we utilize our Google G Suite identities for accessing our Atlassian Cloud (Jira/Confluence) services. Is there a procedure to follow to associate the new G Suite accounts with the existing Atlassian User accounts? E.g.
firstname.lastname@example.org (g suite user) --> user1 (atlassian user)
email@example.com (g suite user) --> user1 (atlassian user)
If you add the new domain to your current G Suite organization and update the relevant users email addresses, the email address change will be synced to their Atlassian accounts. Then you can move the new domain and those users over to the new G Suite organization.
Hope this helps,
Hey @shaynec –
The most important thing to bear in mind to avoid problems is that you should ensure that between each sync, either the users' Google account IDs or their primary email addresses should remain static.
IDs are supposed to be immutable, but because Google will treat the users on the new Google organization as new accounts, their IDs will be different there. You of course are in total control of their primary email addresses. Given these constraints, you have a reasonable degree of flexibility in how you approach this.
Dave's suggestion is certainly the easiest and safest approach, but acknowledging that you might be reluctant or unable to claim the new domain in the old organization, I thought I'd provide a bit more insight.
Please let us know if you need any further clarification :)
Note: it just occurred to me that I'm not sure you're actually using our Google Suite integration. If you just apply changes in your Google userbase without actively synchronising them to your Atlassian one, this won't work! See the docs here for details.
Hi @mroz and @Dave Meyer thank you both for your answers. I am still a little confused however about how to prepare for the migration from olddomain.com to newdomain.com. I do not have the ability to claim newdomain.com in the old organization, so I do not think that I can follow @Dave Meyer's suggestion.
What I don't understand though, is the identifying attribute which is used for the federation between a G Suite user account, and an Atlassian cloud account. Is this the primary email address of the user? Or is there some G Suite GUID which is sent over (and mapped??) to an Atlassian Cloud user account?
As I see it, if it is the primary email address, then I suppose this is within my control (or my users' control) to change as part of the migration process between G Suite Accounts. If however, it is some GUID value, then I am not really sure what options I have (if any).
Yeah, GSuite users have a unique identifier. In fact, it's globally unique to the entire Google userbase, not just your slice of it.
There are actually a series of identifying attributes that we use in an attempt to increase the likelihood of successful synchronisations with the G Suite integration (again, these only apply to the integration, and not to the standard login with Google flow, which is much weaker).
Those identifiers are (in order of importance):
That last one is a bit unreliable though for reasons I won't get into, which is why in the steps I've outlined below, I've avoided depending on it. There's a lot of history behind why this works exactly the way it does. This is all likely going to be improved dramatically in the not-too-distant future, but this is what we're dealing with for now.
I do not have the ability to claim newdomain.com in the old organization
I suspected this might be the case. It makes things slightly harder, but not impossible. Do you have the capacity to claim the old domain in your new Google organization? It seems likely that you'll be doing this anyway to preserve your users' old email addresses. If so, one way you can do this would be to:
I didn't want to pollute the steps above, but so you better understand the process, some explanations:
Some things to note:
Hope that helps,