You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
I have some questions regarding the implementation of SAML single sign-on with Atlassian Access.
This is the current scenario:
We are planning to enable Atlassian Access, verify the subdomain "branch.contoso.com", claim accounts, and enable SAML single sign-on.
If we enabled Atlassian Access with "branch.contoso.com", what will happen with users still under "@branch.acme.com" email addresses?
If we migrate them to @branch.contoso.com after Atlassian Access is enabled.
- Will they keep their same access level and content (Bitbucket commits, JIRA ticketc. etc) associated with the previous account ID (@branch.acme.com)?
- Should we move everyone to the @branch.contoso.com email address before enabling Atlassian Access to avoid any issues?
- How about the Trello users, Will they become managed accounts even though they are outside of the Atlassian organization? If so, How can they avoid it?
Thank you, everyone, for your insights
Hi @Jimmy ,
Do you have both the branch.contoso.com and branch.acme.com domains verified currently? That's the state I would try to target first. Have both domains verified, and then it's much easier to change users email address from one to the other. From an Atlassian functional benefit, there's no difference between having both domains verified under your organization or having all the users on one domain, so I would only do this if you had some other business reason for wanting to update everyone's email addresses to the same domain.
If you have both domains verified, you can change email addresses via the UI or using this API: https://developer.atlassian.com/cloud/admin/user-management/rest/api-group-users/#api-users-account-id-manage-email-put
I would do this before you enable SSO with Access. And then you should ensure that users' email addresses on their Atlassian accounts match what's in your IdP.
>Will they keep their same access level and content (Bitbucket commits, JIRA ticketc. etc) associated with the previous account ID (@branch.acme.com)?
Yes. There will be no impact to existing users besides needing to use the new email address when they sign in.
>How about the Trello users, Will they become managed accounts even though they are outside of the Atlassian organization? If so, How can they avoid it?
When you claim a domain, all users with Atlassian accounts become managed accounts of your organization, regardless of which products or tenants they have access to (including Trello). We don't currently have a way to choose which users become managed accounts of your organization; however, the ability to set different SSO policies for different groups of users is something we are actively working on.
Hope this helps.