I have some questions regarding the implementation of SAML single sign-on with Atlassian Access.
This is the current scenario:
We are planning to enable Atlassian Access, verify the subdomain "branch.contoso.com", claim accounts, and enable SAML single sign-on.
If we enabled Atlassian Access with "branch.contoso.com", what will happen with users still under "@branch.acme.com" email addresses?
If we migrate them to @branch.contoso.com after Atlassian Access is enabled.
- Will they keep their same access level and content (Bitbucket commits, JIRA ticketc. etc) associated with the previous account ID (@branch.acme.com)?
- Should we move everyone to the @branch.contoso.com email address before enabling Atlassian Access to avoid any issues?
- How about the Trello users, Will they become managed accounts even though they are outside of the Atlassian organization? If so, How can they avoid it?
Thank you, everyone, for your insights
Hi @Jimmy ,
Do you have both the branch.contoso.com and branch.acme.com domains verified currently? That's the state I would try to target first. Have both domains verified, and then it's much easier to change users email address from one to the other. From an Atlassian functional benefit, there's no difference between having both domains verified under your organization or having all the users on one domain, so I would only do this if you had some other business reason for wanting to update everyone's email addresses to the same domain.
If you have both domains verified, you can change email addresses via the UI or using this API: https://developer.atlassian.com/cloud/admin/user-management/rest/api-group-users/#api-users-account-id-manage-email-put
I would do this before you enable SSO with Access. And then you should ensure that users' email addresses on their Atlassian accounts match what's in your IdP.
>Will they keep their same access level and content (Bitbucket commits, JIRA ticketc. etc) associated with the previous account ID (@branch.acme.com)?
Yes. There will be no impact to existing users besides needing to use the new email address when they sign in.
>How about the Trello users, Will they become managed accounts even though they are outside of the Atlassian organization? If so, How can they avoid it?
When you claim a domain, all users with Atlassian accounts become managed accounts of your organization, regardless of which products or tenants they have access to (including Trello). We don't currently have a way to choose which users become managed accounts of your organization; however, the ability to set different SSO policies for different groups of users is something we are actively working on.
Hope this helps.
Hi Community! Thank you to all those who joined our What’s new in Atlassian Access webinar last week! We received so many great questions about existing functionality and newly released features of...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events