What to do if we can't verify 10 different external 3rd party domains (and using Okta)

Eric Karlinsky November 20, 2020

Hi,

We're a global service provider and we're setting up a Jira / Okta integration where several employees of large global 3rd parties need access, each with their own domain. So users will be onboarded in Okta and Okta will do the Authentication and Authorization before accessing Jira.

The issue we have now is how to verify all these different domains? Can you imagine what it takes to add something to global companies websites or DNS?? And these are companies with more than 100.000 employees, so imagine the process to get this approved and done..

And why would you verify domains if Atlassian trusts Okta to do Authentication and Authorization? It really doesn't make sense. 

I really would like to know how you would solve this. More and more companies will connect to each other, it is simply not doable to do all these domain verification.

Please suggest some best practices.

Thanks,

Bert deRoos

1 answer

1 vote
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 20, 2020

Hi Eric or Bert,

are you at this point specifically referring to the article "Verify a domain for your organisation"?

https://confluence.atlassian.com/cloud/verify-a-domain-for-your-organization-873871234.html

Doing so this would require putting a TXT record to all relevant domains (all you want to verify).
There is an alternative uploading a HTML file - which is probably not better.

Am I getting you right that this is what you are currently tasked with and the steps are clear but you wonder why this is such a huge effort?
Let me share my experience - recently I verified four domains using DNS but working this out with IT staff went great.

On why the conception is like this with Okta I cannot say much. The validation itself was something I could understand (by means of the technical todos, as well as to why it is necessary) - but yes, a somewhat nicer way would also have been okay :)

Let me know if I misunderstood something.

Regards,
Daniel

Eric Karlinsky November 21, 2020

Thanks Daniel,

Indeed I'm referring to the article you mentioned about verifying the domain and I understand what it technically means.

I foresee huge impact on the processes around it. we're setting up as integrator (dxc.com) a jira project for a large customer, xyz.com. Now, other 3rd parties need access as well, people from ibm.com, microsoft.com, oracle.com and accenture.com (this is the scale we're talking about)

Now as I understand correctly, to verify domains, I need to reach out to these global companies and ask them to adjust DNS record or add a HTML file to their website. Can you imagine the efforts, simply finding the right people, approvals and their willingness to do this?

I somehow can understand why initially Atlassian has created this idea of verifying domains but it is simply not doable anymore if you grow to a global scale in a connected world and it is blocking Jira deployments tremendously.

But maybe my interpretation is wrong and you can do it on a much easier way?

Thanks,

Bert

Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 21, 2020

The domains you mentioned (ibm, Microsoft, oracle, ...) do not need to be verified on your own instance - it will not be possible as they are not yours.

I assume the following is meant:

  • you verify the domain of the company your are working for so that they are in charge of all user accounts under this domain (exampleenterprises.tld)
  • you want to work together with ibm, Microsoft and so on - therefore they log in with their Atlassian-Accounts registered to their mail address (john.doe.xyz@ibm.com) into your cloud site
Like Dave Meyer likes this
Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 21, 2020

This is correct. Atlassian accounts can be used across multiple cloud tenants, so SSO is tied to the organization that owns the account. In this example, IBM would own @Inessa B.com accounts, and those accounts would authenticate with IBM's identity provider (Okta or an equivalent). 

We are currently working on support directory syncing for external accounts (so if you have users in your identity provider that are external/on domains that you don't manage), those users will still sync as part of your groups, but authentication for those accounts would still be determined by the organization that manages the account.

Bert deRoos November 22, 2020

Many thanks, good to hear that it should be much easier than I initially thought.

So, the steps are then:

1. verify the domain we're working for, in our case exampleenterprises.tld. Verifying this domain enable the possibility in Atlassian Access to setup SSO integration with Okta

2. Integrate with Okta. Okta will be used to perform MultiFactor Authentication

3. Users from exampleenterprises.tld and ibm.com (e.g. john.doe.xyz@ibm.com), authenticated by Okta, should have access to Atlassian.    

As you work on "directory syncing for external accounts" it is currently not possible to provisioning users from external domain e.g. ibm.com, this has to done manual, right?

Do you know when this feature comes available?

Thanks,

Bert

Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 23, 2020

Hi @Bert deRoos ,

verify the domain we're working for, in our case exampleenterprises.tld. Verifying this domain enable the possibility in Atlassian Access to setup SSO integration with Okta

Correct

Users from exampleenterprises.tld and ibm.com (e.g. john.doe.xyz@ibm.com), authenticated by Okta, should have access to Atlassian. 

This will depend on what security policies the owner of those domains has configured on the account. We are also about to release a new feature that will show you (as a content owner) whether these external users are logging in with SSO or 2SV, even though you don't control it.

As you work on "directory syncing for external accounts" it is currently not possible to provisioning users from external domain e.g. ibm.com, this has to done manual, right?

Yes you can follow the instructions for inviting users to your Jira instance here. And you can create and use local Atlassian groups with these users.

Do you know when this feature comes available?

We are generally targeting the end of this calendar year.

Bert deRoos November 23, 2020

Thanks Dave,

We'll start to setting everything up, so hopefully everything works as expected :)

Best Regards,

Bert

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events