Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

SAML SSO with Azure AD: users won't be able tu log-on during SAML setup?

Hi,

Sorry for long post.

 

We have Atlassian organization with Azure AD user provisioning enabled (one AD group with 8 users only).

We have more than 250 managed accounts as well (from different organizations).

Provisioned users and managed accounts share the same domain.

Now we want setup SAML SSO with Azure AD for the same domain (for first organization only.

 

The first step would be to configure SSO in Atlassian Cloud app in Azure AD.

We don't know proper Atlassian SAML ID since SAML configuration is not started at Atlassian yet. So we will put improper values for Identifier: https://auth.atlassian.com/saml/<unique ID>

and Reply URL: https://auth.atlassian.com/login/callback?connection=saml-<unique ID>

In the next step we will initiate SAML setup at Atlassian side.

After this stage SSO will fail for sure since we are used improper values in first step.

How this affect users? Documentation says: "During the time it takes to configure SAML single sign-on, users won't be able to log in to your Atlassian Cloud applications. Consider scheduling a day and time for the changeover to SAML, and alerting your users in advance."

Only provisioned users will be affected? Or managed accounts from diffrent organizations as well?

After next step - fixing Azure AD URLs setup with proper Atlassian IDs  - SSO should work for provisioned users but no managed accounts from different organizations?

Thanks in advance for any help.

 

Regards,

Tomasz

 

 

 

 

1 answer

1 accepted

1 vote
Answer accepted

Hi Tomasz, 

Thanks for using Atlassian Community. 

The SAML-SSO with Azure will actually be enforced to all Atlassian Account that has an email address under your claimed domain. That will be both provisioned and non-provisioned user, so basically, everybody under Managed Accounts

managed accounts.png

 

You are right that you will initially enter some dummy values when initially configuring the Atlassian Cloud app in Azure. That will be corrected later on if you follow the Microsoft Tutorial page. 

 

On Step #6 of the Configure Atlassian Cloud SSO section, you will need to copy the details from Azure into Atlassian. After saving the configuration on Atlassian side, that's when the enforcement will start for all the managed accounts. This is the start of the downtime. 

Azure to Atlassian.png

 

 

 

On Step #7 of the Configure Atlassian Cloud SSO section, after saving the configuration in Atlassian, the SAML details that needs to be copied over at Azure will be exposed. Once the details have been copied to Azure, the integration is established. 

Azure2.png

 

Users that are assigned to the Atlassian Cloud app in Azure will be able to use the SSO integration. If you configure Single Sign On the same app where you initially configured provisioning, then your provisioned users will be covered. You will then need to assign the other non-provisioned users so that they can also use the SSO setup. The downtime should end here. 

provisioned users.png

Just a note that during the downtime, user won't be able to authenticate into Atlassian cloud but existing sessions will not be disconnected. The Managed Accounts will only be forced to login via Azure on their next login. 

I hope this helps. 

Regards,
Ramon

Hi Ramon,

Thanks for detailed explanation. All is clear now and we are preparing for SSO go live soon.

Best regards,

Tomasz

Goodluck Tomasz! 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

What's new in Atlassian Access - Webinar

Based on your valuable feedback, we have released several new features to help you gain administrative flexibility with authentication policies, visibility into shadow IT with automatic product disco...

71 views 2 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you