Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,460,320
Community Members
 
Community Events
176
Community Groups

SAML single sign-on

Edited

I have some questions regarding the implementation of SAML single sign-on with Atlassian Access.


This is the current scenario:

  • Single Atlassian organization using JIRA/Confluence/Bitbucket products suite.
  • User email addresses belong either @branch.contoso.com or @branch.acme.com domains.
  • There are Trello users outside of the Atlassian organization using @branch.contoso.com email addresses.


We are planning to enable Atlassian Access, verify the subdomain "branch.contoso.com", claim accounts, and enable SAML single sign-on. 

If we enabled Atlassian Access with "branch.contoso.com", what will happen with users still under "@branch.acme.com" email addresses?

If we migrate them to @branch.contoso.com after Atlassian Access is enabled. 

- Will they keep their same access level and content (Bitbucket commits, JIRA ticketc. etc) associated with the previous account ID (@branch.acme.com)? 

- Should we move everyone to the @branch.contoso.com email address before enabling Atlassian Access to avoid any issues?

- How about the Trello users, Will they become managed accounts even though they are outside of the Atlassian organization? If so, How can they avoid it? 

Thank you, everyone, for your insights

Regards

1 answer

0 votes
Dave Meyer Atlassian Team Aug 22, 2020

Hi @Jimmy ,

Do you have both the branch.contoso.com and branch.acme.com domains verified currently? That's the state I would try to target first. Have both domains verified, and then it's much easier to change users email address from one to the other. From an Atlassian functional benefit, there's no difference between having both domains verified under your organization or having all the users on one domain, so I would only do this if you had some other business reason for wanting to update everyone's email addresses to the same domain.

 

If you have both domains verified, you can change email addresses via the UI or using this API: https://developer.atlassian.com/cloud/admin/user-management/rest/api-group-users/#api-users-account-id-manage-email-put

I would do this before you enable SSO with Access. And then you should ensure that users' email addresses on their Atlassian accounts match what's in your IdP.

>Will they keep their same access level and content (Bitbucket commits, JIRA ticketc. etc) associated with the previous account ID (@branch.acme.com)?

Yes. There will be no impact to existing users besides needing to use the new email address when they sign in.

>How about the Trello users, Will they become managed accounts even though they are outside of the Atlassian organization? If so, How can they avoid it?

When you claim a domain, all users with Atlassian accounts become managed accounts of your organization, regardless of which products or tenants they have access to (including Trello). We don't currently have a way to choose which users become managed accounts of your organization; however, the ability to set different SSO policies for different groups of users is something we are actively working on.

Hope this helps.

Dave

Thanks Dave.

Appreciate the help.

Regards

J

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events