Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

SSO still requires to enter email.

Mantas Geležinis June 18, 2021

Hello,

We are trying to implement SSO using Atlassian Access and we are facing little problem.

Situation: We have Cloud instance and separate app that is using same users from OneLogin directory. When first login is initiated in our app and then we go to Jira Cloud we are required to enter an email. If email ends up with verified domain Jira redirects us to Single Sign-on provider and log us in.

Problem: We want to avoid entering email if we are already authenticated with our identity provider. Is it possible?

1 answer

1 accepted

0 votes
Answer accepted
Boris Berenberg - Atlas Authority
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 19, 2021

The only way to bypass entering your email would be to have the user start from the SSO tool. For example, clicking the chicklet in Okta or something.

Mantas Geležinis June 20, 2021

Thank you Boris!

I was able to retrieve users jira app ID from onelogin api and generate same url as onelogin uses to redirect after clicking that clicklet. 

https://{mydomain}.onelogin.com/client/apps/select/{userAppID}/?RelayState={redirectURl}

OneLogin api endpoint for userApps:
https://developers.onelogin.com/api-docs/2/users/get-user-apps

Martin Notz
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 8, 2022

Is there a solution for this problem? We have the same problem with Microsoft Azure and we don't find a solution for our users. We use Jira Service Management and want to use the portal...

Andrew Barnes October 27, 2022

We're having the same issue.

John M_ June 8, 2023

With SAML SSO there is the SP (Service Provider) and IDP (Identity Provider) initiated flow.

In case you have SSO configured for Atlassian Access (SP) with Azure AD (IDP) you have the following situation:

 

The IDP-initiated flow (via myapps.microsoft.com) will do a number of redirects and provide seamless sign-in to the end user without having to enter an email address if the user is already authenticated on the Microsoft platform. You can find the URL in the AzureAD admin portal under Applications -> Enterprise Applications -> Jira Cloud -> properties -> User Access URL

The SP-Initiated flow does prompt the user for either an email address and gives the button "Continue with Microsoft" to directly sign-in with the MS account. If the user is already signed in to Microsoft (through AAD joined computer) then the sign-in is seamless after clicking the button.

Challenges:
While it technically works, I have a few challenges with the way Atlassian implemented SSO.

While the IDP-Initiated flow is seamless, it does create a number of redirects causing a few seconds for the user to see the customer portal. This is not giving an ideal user experience if the users is clicking the link multiple times a day to create tickets or read KB articles.

The SP-Initiated flow requires user education. We need to train users to click the Sign-in with Microsoft button. Once signed in, session cookies will be retained for 30 days. Hence the user will not be prompted again.

Ideal solution:

Would be to find some kind of way to authenticate the user at sign-in creating the session cookie in the background. So far I've not found a way of achieving this.

Like # people like this
Gottlob Brodbeck
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
August 25, 2023

Is there anyone where has found a solution for this problem in the meantime? In my opinion, it is more than catastrophic that Atlassian cannot offer a meaningful solution here.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events