Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

SAML single sign-on

Jimmy August 20, 2020

I have some questions regarding the implementation of SAML single sign-on with Atlassian Access.


This is the current scenario:

  • Single Atlassian organization using JIRA/Confluence/Bitbucket products suite.
  • User email addresses belong either @branch.contoso.com or @branch.acme.com domains.
  • There are Trello users outside of the Atlassian organization using @branch.contoso.com email addresses.


We are planning to enable Atlassian Access, verify the subdomain "branch.contoso.com", claim accounts, and enable SAML single sign-on. 

If we enabled Atlassian Access with "branch.contoso.com", what will happen with users still under "@branch.acme.com" email addresses?

If we migrate them to @branch.contoso.com after Atlassian Access is enabled. 

- Will they keep their same access level and content (Bitbucket commits, JIRA ticketc. etc) associated with the previous account ID (@branch.acme.com)? 

- Should we move everyone to the @branch.contoso.com email address before enabling Atlassian Access to avoid any issues?

- How about the Trello users, Will they become managed accounts even though they are outside of the Atlassian organization? If so, How can they avoid it? 

Thank you, everyone, for your insights

Regards

1 answer

0 votes
Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 22, 2020

Hi @Jimmy ,

Do you have both the branch.contoso.com and branch.acme.com domains verified currently? That's the state I would try to target first. Have both domains verified, and then it's much easier to change users email address from one to the other. From an Atlassian functional benefit, there's no difference between having both domains verified under your organization or having all the users on one domain, so I would only do this if you had some other business reason for wanting to update everyone's email addresses to the same domain.

 

If you have both domains verified, you can change email addresses via the UI or using this API: https://developer.atlassian.com/cloud/admin/user-management/rest/api-group-users/#api-users-account-id-manage-email-put

I would do this before you enable SSO with Access. And then you should ensure that users' email addresses on their Atlassian accounts match what's in your IdP.

>Will they keep their same access level and content (Bitbucket commits, JIRA ticketc. etc) associated with the previous account ID (@branch.acme.com)?

Yes. There will be no impact to existing users besides needing to use the new email address when they sign in.

>How about the Trello users, Will they become managed accounts even though they are outside of the Atlassian organization? If so, How can they avoid it?

When you claim a domain, all users with Atlassian accounts become managed accounts of your organization, regardless of which products or tenants they have access to (including Trello). We don't currently have a way to choose which users become managed accounts of your organization; however, the ability to set different SSO policies for different groups of users is something we are actively working on.

Hope this helps.

Dave

Jimmy August 30, 2020

Thanks Dave.

Appreciate the help.

Regards

J

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events