Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,551,821
Community Members
 
Community Events
184
Community Groups

SAML SSO with Azure AD: users won't be able tu log-on during SAML setup?

Deleted user Nov 05, 2019

Hi,

Sorry for long post.

 

We have Atlassian organization with Azure AD user provisioning enabled (one AD group with 8 users only).

We have more than 250 managed accounts as well (from different organizations).

Provisioned users and managed accounts share the same domain.

Now we want setup SAML SSO with Azure AD for the same domain (for first organization only.

 

The first step would be to configure SSO in Atlassian Cloud app in Azure AD.

We don't know proper Atlassian SAML ID since SAML configuration is not started at Atlassian yet. So we will put improper values for Identifier: https://auth.atlassian.com/saml/<unique ID>

and Reply URL: https://auth.atlassian.com/login/callback?connection=saml-<unique ID>

In the next step we will initiate SAML setup at Atlassian side.

After this stage SSO will fail for sure since we are used improper values in first step.

How this affect users? Documentation says: "During the time it takes to configure SAML single sign-on, users won't be able to log in to your Atlassian Cloud applications. Consider scheduling a day and time for the changeover to SAML, and alerting your users in advance."

Only provisioned users will be affected? Or managed accounts from diffrent organizations as well?

After next step - fixing Azure AD URLs setup with proper Atlassian IDs  - SSO should work for provisioned users but no managed accounts from different organizations?

Thanks in advance for any help.

 

Regards,

Tomasz

 

 

 

 

Answer
Watch
Like Be the first to like this
893 views

1 answer

1 accepted

1 vote
Answer accepted
Ramon Macalinao
Ramon M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Nov 11, 2019 • edited Nov 18, 2019

Hi Tomasz, 

Thanks for using Atlassian Community. 

The SAML-SSO with Azure will actually be enforced to all Atlassian Account that has an email address under your claimed domain. That will be both provisioned and non-provisioned user, so basically, everybody under Managed Accounts

managed accounts.png

 

You are right that you will initially enter some dummy values when initially configuring the Atlassian Cloud app in Azure. That will be corrected later on if you follow the Microsoft Tutorial page. 

 

On Step #6 of the Configure Atlassian Cloud SSO section, you will need to copy the details from Azure into Atlassian. After saving the configuration on Atlassian side, that's when the enforcement will start for all the managed accounts. This is the start of the downtime. 

Azure to Atlassian.png

 

 

 

On Step #7 of the Configure Atlassian Cloud SSO section, after saving the configuration in Atlassian, the SAML details that needs to be copied over at Azure will be exposed. Once the details have been copied to Azure, the integration is established. 

Azure2.png

 

Users that are assigned to the Atlassian Cloud app in Azure will be able to use the SSO integration. If you configure Single Sign On the same app where you initially configured provisioning, then your provisioned users will be covered. You will then need to assign the other non-provisioned users so that they can also use the SSO setup. The downtime should end here. 

provisioned users.png

Just a note that during the downtime, user won't be able to authenticate into Atlassian cloud but existing sessions will not be disconnected. The Managed Accounts will only be forced to login via Azure on their next login. 

I hope this helps. 

Regards,
Ramon

View More Comments
Deleted user Nov 11, 2019

Hi Ramon,

Thanks for detailed explanation. All is clear now and we are preparing for SSO go live soon.

Best regards,

Tomasz

Like
Ramon Macalinao
Ramon M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Nov 12, 2019

Goodluck Tomasz! 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

See all events