SSO still requires to enter email.

Thank you Boris!

I was able to retrieve users jira app ID from onelogin api and generate same url as onelogin uses to redirect after clicking that clicklet. 

https://{mydomain}.onelogin.com/client/apps/select/{userAppID}/?RelayState={redirectURl}

OneLogin api endpoint for userApps:
https://developers.onelogin.com/api-docs/2/users/get-user-apps

Is there a solution for this problem? We have the same problem with Microsoft Azure and we don't find a solution for our users. We use Jira Service Management and want to use the portal...

We're having the same issue.

With SAML SSO there is the SP (Service Provider) and IDP (Identity Provider) initiated flow.

In case you have SSO configured for Atlassian Access (SP) with Azure AD (IDP) you have the following situation:

• IDP-intiated flow = https://myapps.microsoft.com/signin/[app-guid]?tenantId=[tenant-guid] (or more recently https://launcher.myapps.microsoft.com/api/signin/[app-guid]?tenantId=[tenant-guid]
• SP-Initiated flow = [yourdomain].atlassian.com is redirected to id.atlassian.com/login?

The IDP-initiated flow (via myapps.microsoft.com) will do a number of redirects and provide seamless sign-in to the end user without having to enter an email address if the user is already authenticated on the Microsoft platform. You can find the URL in the AzureAD admin portal under Applications -> Enterprise Applications -> Jira Cloud -> properties -> User Access URL

The SP-Initiated flow does prompt the user for either an email address and gives the button "Continue with Microsoft" to directly sign-in with the MS account. If the user is already signed in to Microsoft (through AAD joined computer) then the sign-in is seamless after clicking the button.

Challenges:
While it technically works, I have a few challenges with the way Atlassian implemented SSO.

While the IDP-Initiated flow is seamless, it does create a number of redirects causing a few seconds for the user to see the customer portal. This is not giving an ideal user experience if the users is clicking the link multiple times a day to create tickets or read KB articles.

The SP-Initiated flow requires user education. We need to train users to click the Sign-in with Microsoft button. Once signed in, session cookies will be retained for 30 days. Hence the user will not be prompted again.

Ideal solution:

Would be to find some kind of way to authenticate the user at sign-in creating the session cookie in the background. So far I've not found a way of achieving this.

Is there anyone where has found a solution for this problem in the meantime? In my opinion, it is more than catastrophic that Atlassian cannot offer a meaningful solution here.