Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SAML SSO with Azure AD: users won't be able tu log-on during SAML setup?

Deleted user November 5, 2019

Hi,

Sorry for long post.

 

We have Atlassian organization with Azure AD user provisioning enabled (one AD group with 8 users only).

We have more than 250 managed accounts as well (from different organizations).

Provisioned users and managed accounts share the same domain.

Now we want setup SAML SSO with Azure AD for the same domain (for first organization only.

 

The first step would be to configure SSO in Atlassian Cloud app in Azure AD.

We don't know proper Atlassian SAML ID since SAML configuration is not started at Atlassian yet. So we will put improper values for Identifier: https://auth.atlassian.com/saml/<unique ID>

and Reply URL: https://auth.atlassian.com/login/callback?connection=saml-<unique ID>

In the next step we will initiate SAML setup at Atlassian side.

After this stage SSO will fail for sure since we are used improper values in first step.

How this affect users? Documentation says: "During the time it takes to configure SAML single sign-on, users won't be able to log in to your Atlassian Cloud applications. Consider scheduling a day and time for the changeover to SAML, and alerting your users in advance."

Only provisioned users will be affected? Or managed accounts from diffrent organizations as well?

After next step - fixing Azure AD URLs setup with proper Atlassian IDs  - SSO should work for provisioned users but no managed accounts from different organizations?

Thanks in advance for any help.

 

Regards,

Tomasz

 

 

 

 

Answer
Watch
Like Be the first to like this
1274 views

1 answer

1 accepted

2 votes
Answer accepted
Ramon Macalinao
Ramon M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 11, 2019

Hi Tomasz, 

Thanks for using Atlassian Community. 

The SAML-SSO with Azure will actually be enforced to all Atlassian Account that has an email address under your claimed domain. That will be both provisioned and non-provisioned user, so basically, everybody under Managed Accounts

managed accounts.png

 

You are right that you will initially enter some dummy values when initially configuring the Atlassian Cloud app in Azure. That will be corrected later on if you follow the Microsoft Tutorial page. 

 

On Step #6 of the Configure Atlassian Cloud SSO section, you will need to copy the details from Azure into Atlassian. After saving the configuration on Atlassian side, that's when the enforcement will start for all the managed accounts. This is the start of the downtime. 

Azure to Atlassian.png

 

 

 

On Step #7 of the Configure Atlassian Cloud SSO section, after saving the configuration in Atlassian, the SAML details that needs to be copied over at Azure will be exposed. Once the details have been copied to Azure, the integration is established. 

Azure2.png

 

Users that are assigned to the Atlassian Cloud app in Azure will be able to use the SSO integration. If you configure Single Sign On the same app where you initially configured provisioning, then your provisioned users will be covered. You will then need to assign the other non-provisioned users so that they can also use the SSO setup. The downtime should end here. 

provisioned users.png

Just a note that during the downtime, user won't be able to authenticate into Atlassian cloud but existing sessions will not be disconnected. The Managed Accounts will only be forced to login via Azure on their next login. 

I hope this helps. 

Regards,
Ramon

View More Comments
Deleted user November 11, 2019

Hi Ramon,

Thanks for detailed explanation. All is clear now and we are preparing for SSO go live soon.

Best regards,

Tomasz

Like
Ramon Macalinao
Ramon M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 12, 2019

Goodluck Tomasz! 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

    See all events