Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,365,072
Community Members
 
Community Events
168
Community Groups

SAML SSO with Azure AD: users won't be able tu log-on during SAML setup?

Deleted user Nov 05, 2019

Hi,

Sorry for long post.

 

We have Atlassian organization with Azure AD user provisioning enabled (one AD group with 8 users only).

We have more than 250 managed accounts as well (from different organizations).

Provisioned users and managed accounts share the same domain.

Now we want setup SAML SSO with Azure AD for the same domain (for first organization only.

 

The first step would be to configure SSO in Atlassian Cloud app in Azure AD.

We don't know proper Atlassian SAML ID since SAML configuration is not started at Atlassian yet. So we will put improper values for Identifier: https://auth.atlassian.com/saml/<unique ID>

and Reply URL: https://auth.atlassian.com/login/callback?connection=saml-<unique ID>

In the next step we will initiate SAML setup at Atlassian side.

After this stage SSO will fail for sure since we are used improper values in first step.

How this affect users? Documentation says: "During the time it takes to configure SAML single sign-on, users won't be able to log in to your Atlassian Cloud applications. Consider scheduling a day and time for the changeover to SAML, and alerting your users in advance."

Only provisioned users will be affected? Or managed accounts from diffrent organizations as well?

After next step - fixing Azure AD URLs setup with proper Atlassian IDs  - SSO should work for provisioned users but no managed accounts from different organizations?

Thanks in advance for any help.

 

Regards,

Tomasz

 

 

 

 

1 answer

1 accepted

1 vote
Answer accepted

Hi Tomasz, 

Thanks for using Atlassian Community. 

The SAML-SSO with Azure will actually be enforced to all Atlassian Account that has an email address under your claimed domain. That will be both provisioned and non-provisioned user, so basically, everybody under Managed Accounts

managed accounts.png

 

You are right that you will initially enter some dummy values when initially configuring the Atlassian Cloud app in Azure. That will be corrected later on if you follow the Microsoft Tutorial page. 

 

On Step #6 of the Configure Atlassian Cloud SSO section, you will need to copy the details from Azure into Atlassian. After saving the configuration on Atlassian side, that's when the enforcement will start for all the managed accounts. This is the start of the downtime. 

Azure to Atlassian.png

 

 

 

On Step #7 of the Configure Atlassian Cloud SSO section, after saving the configuration in Atlassian, the SAML details that needs to be copied over at Azure will be exposed. Once the details have been copied to Azure, the integration is established. 

Azure2.png

 

Users that are assigned to the Atlassian Cloud app in Azure will be able to use the SSO integration. If you configure Single Sign On the same app where you initially configured provisioning, then your provisioned users will be covered. You will then need to assign the other non-provisioned users so that they can also use the SSO setup. The downtime should end here. 

provisioned users.png

Just a note that during the downtime, user won't be able to authenticate into Atlassian cloud but existing sessions will not be disconnected. The Managed Accounts will only be forced to login via Azure on their next login. 

I hope this helps. 

Regards,
Ramon

Deleted user Nov 11, 2019

Hi Ramon,

Thanks for detailed explanation. All is clear now and we are preparing for SSO go live soon.

Best regards,

Tomasz

Goodluck Tomasz! 

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events