Sorry for long post.
We have Atlassian organization with Azure AD user provisioning enabled (one AD group with 8 users only).
We have more than 250 managed accounts as well (from different organizations).
Provisioned users and managed accounts share the same domain.
Now we want setup SAML SSO with Azure AD for the same domain (for first organization only.
The first step would be to configure SSO in Atlassian Cloud app in Azure AD.
We don't know proper Atlassian SAML ID since SAML configuration is not started at Atlassian yet. So we will put improper values for Identifier:
and Reply URL: https://auth.atlassian.com/login/callback?connection=saml-<unique ID>
In the next step we will initiate SAML setup at Atlassian side.
After this stage SSO will fail for sure since we are used improper values in first step.
How this affect users? Documentation says: "During the time it takes to configure SAML single sign-on, users won't be able to log in to your Atlassian Cloud applications. Consider scheduling a day and time for the changeover to SAML, and alerting your users in advance."
Only provisioned users will be affected? Or managed accounts from diffrent organizations as well?
After next step - fixing Azure AD URLs setup with proper Atlassian IDs - SSO should work for provisioned users but no managed accounts from different organizations?
Thanks in advance for any help.
Thanks for using Atlassian Community.
The SAML-SSO with Azure will actually be enforced to all Atlassian Account that has an email address under your claimed domain. That will be both provisioned and non-provisioned user, so basically, everybody under Managed Accounts.
You are right that you will initially enter some dummy values when initially configuring the Atlassian Cloud app in Azure. That will be corrected later on if you follow the Microsoft Tutorial page.
On Step #6 of the Configure Atlassian Cloud SSO section, you will need to copy the details from Azure into Atlassian. After saving the configuration on Atlassian side, that's when the enforcement will start for all the managed accounts. This is the start of the downtime.
On Step #7 of the Configure Atlassian Cloud SSO section, after saving the configuration in Atlassian, the SAML details that needs to be copied over at Azure will be exposed. Once the details have been copied to Azure, the integration is established.
Users that are assigned to the Atlassian Cloud app in Azure will be able to use the SSO integration. If you configure Single Sign On the same app where you initially configured provisioning, then your provisioned users will be covered. You will then need to assign the other non-provisioned users so that they can also use the SSO setup. The downtime should end here.
Just a note that during the downtime, user won't be able to authenticate into Atlassian cloud but existing sessions will not be disconnected. The Managed Accounts will only be forced to login via Azure on their next login.
I hope this helps.