Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

What to do if we can't verify 10 different external 3rd party domains (and using Okta)

Hi,

We're a global service provider and we're setting up a Jira / Okta integration where several employees of large global 3rd parties need access, each with their own domain. So users will be onboarded in Okta and Okta will do the Authentication and Authorization before accessing Jira.

The issue we have now is how to verify all these different domains? Can you imagine what it takes to add something to global companies websites or DNS?? And these are companies with more than 100.000 employees, so imagine the process to get this approved and done..

And why would you verify domains if Atlassian trusts Okta to do Authentication and Authorization? It really doesn't make sense. 

I really would like to know how you would solve this. More and more companies will connect to each other, it is simply not doable to do all these domain verification.

Please suggest some best practices.

Thanks,

Bert deRoos

1 answer

1 vote
Daniel Ebers Community Leader Nov 20, 2020

Hi Eric or Bert,

are you at this point specifically referring to the article "Verify a domain for your organisation"?

https://confluence.atlassian.com/cloud/verify-a-domain-for-your-organization-873871234.html

Doing so this would require putting a TXT record to all relevant domains (all you want to verify).
There is an alternative uploading a HTML file - which is probably not better.

Am I getting you right that this is what you are currently tasked with and the steps are clear but you wonder why this is such a huge effort?
Let me share my experience - recently I verified four domains using DNS but working this out with IT staff went great.

On why the conception is like this with Okta I cannot say much. The validation itself was something I could understand (by means of the technical todos, as well as to why it is necessary) - but yes, a somewhat nicer way would also have been okay :)

Let me know if I misunderstood something.

Regards,
Daniel

Thanks Daniel,

Indeed I'm referring to the article you mentioned about verifying the domain and I understand what it technically means.

I foresee huge impact on the processes around it. we're setting up as integrator (dxc.com) a jira project for a large customer, xyz.com. Now, other 3rd parties need access as well, people from ibm.com, microsoft.com, oracle.com and accenture.com (this is the scale we're talking about)

Now as I understand correctly, to verify domains, I need to reach out to these global companies and ask them to adjust DNS record or add a HTML file to their website. Can you imagine the efforts, simply finding the right people, approvals and their willingness to do this?

I somehow can understand why initially Atlassian has created this idea of verifying domains but it is simply not doable anymore if you grow to a global scale in a connected world and it is blocking Jira deployments tremendously.

But maybe my interpretation is wrong and you can do it on a much easier way?

Thanks,

Bert

Daniel Ebers Community Leader Nov 21, 2020

The domains you mentioned (ibm, Microsoft, oracle, ...) do not need to be verified on your own instance - it will not be possible as they are not yours.

I assume the following is meant:

  • you verify the domain of the company your are working for so that they are in charge of all user accounts under this domain (exampleenterprises.tld)
  • you want to work together with ibm, Microsoft and so on - therefore they log in with their Atlassian-Accounts registered to their mail address (john.doe.xyz@ibm.com) into your cloud site
Like Dave Meyer likes this
Dave Meyer Atlassian Team Nov 21, 2020

This is correct. Atlassian accounts can be used across multiple cloud tenants, so SSO is tied to the organization that owns the account. In this example, IBM would own @ibm.com accounts, and those accounts would authenticate with IBM's identity provider (Okta or an equivalent). 

We are currently working on support directory syncing for external accounts (so if you have users in your identity provider that are external/on domains that you don't manage), those users will still sync as part of your groups, but authentication for those accounts would still be determined by the organization that manages the account.

Many thanks, good to hear that it should be much easier than I initially thought.

So, the steps are then:

1. verify the domain we're working for, in our case exampleenterprises.tld. Verifying this domain enable the possibility in Atlassian Access to setup SSO integration with Okta

2. Integrate with Okta. Okta will be used to perform MultiFactor Authentication

3. Users from exampleenterprises.tld and ibm.com (e.g. john.doe.xyz@ibm.com), authenticated by Okta, should have access to Atlassian.    

As you work on "directory syncing for external accounts" it is currently not possible to provisioning users from external domain e.g. ibm.com, this has to done manual, right?

Do you know when this feature comes available?

Thanks,

Bert

Dave Meyer Atlassian Team Nov 23, 2020

Hi @Bert deRoos ,

verify the domain we're working for, in our case exampleenterprises.tld. Verifying this domain enable the possibility in Atlassian Access to setup SSO integration with Okta

Correct

Users from exampleenterprises.tld and ibm.com (e.g. john.doe.xyz@ibm.com), authenticated by Okta, should have access to Atlassian. 

This will depend on what security policies the owner of those domains has configured on the account. We are also about to release a new feature that will show you (as a content owner) whether these external users are logging in with SSO or 2SV, even though you don't control it.

As you work on "directory syncing for external accounts" it is currently not possible to provisioning users from external domain e.g. ibm.com, this has to done manual, right?

Yes you can follow the instructions for inviting users to your Jira instance here. And you can create and use local Atlassian groups with these users.

Do you know when this feature comes available?

We are generally targeting the end of this calendar year.

Thanks Dave,

We'll start to setting everything up, so hopefully everything works as expected :)

Best Regards,

Bert

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
Community showcase
Published in Atlassian Access

See Atlassian Access in action - Live Demo

Did you know Atlassian Access offers more than SAML single sign-on for Atlassian cloud products, like Jira and Confluence? Whether you're just starting to plan for your organization or in the pr...

108 views 0 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you