Migrating to Google Apps Sign In

Hi,

I'm interested in migrating to google apps sign in for my organisation, however the documentation seems to be a little patchy when it comes to understanding what will happen for existing users, what their flow will look like, etc.

I have an org of about 60-70 people, and therefore if I do the migration I would like to know exactly what state things end up in before I do hit the button and cause confusion throughout the business.

So, in no particular order:

- Once accounts are synced, will it only be possible to log in via google accounts or will it also be possible to continue to log in via the original atlassian password? I can see from https://confluence.atlassian.com/cloud/how-g-suite-users-log-in-744721643.html that the atlassian password remains and needs to be used for some things (that our team won't be using), so I need to make sure that we get the benefits of SSO and MFA through google and this can't just be worked around by someone not realising (or by a malicious party trying to gain access to accounts)

- Do groups in google map to groups in atlassian directly? And therefore should I create groups that I am using right now for application access, permissions access etc? E.g. If I am providing access to jira via a "All Jira" group, should I ensure these groups are set up before I start syncing to avoid people being removed? 

- What happens once the sync has taken place in the case of the above where you can only log in via google? Does everyone get logged out and they have to log in via google again? This would be good to know for a comms piece

- I assume the login via google takes the user to the google sign in page to do SSO type signin?

- Based on https://confluence.atlassian.com/cloud/enable-or-disable-g-suite-integration-873918510.html, it says "Your users will still be able to log in to your Atlassian Cloud site with their Google credentials. However, their details won't be synced.". Does this mean that atlassian copies over passwords from google (this would be surprising/not good), or if not how does this continue to work if the SSO link has been broken?

Thanks!

Rob

2 answers

1 accepted

0 vote

Hello, Rob!

Happy to answer your questions about Google Apps sync.

  1. Your users whose email domain is part of your Google Apps account will only be able to login via Google credentials. Therefore, it is not possible for a 3rd party to try and access the instance with the database password for those users. However, any users who have a domain that is not part of your Google Apps account will login normally using the Atlassian ID password.
  2. Groups in Google Apps do not map to groups in Cloud directly. The groups are simply to determine which users are synced to your Cloud instance and which are not.
  3. Once Google is synced, this does not affect the active sessions. However, when the session expires, then the next time the Google users login, they will need to login via Google. I would recommend that you request your users to log out of the Cloud instance and back in in order to create the connection to Google Apps.
  4. You are correct in assuming the login to Google does take the user to the Google sign-in page to complete their Google SSO sign-in, once they've entered an email address associated with your Google Apps account.
  5. When you disconnect the integration, it simply disrupts the sync process with your Cloud instance. However, the link from the Google Apps account to the user's Atlassian ID remains. The Google password is not stored in our system.

Let us know if this is clear or if you have any additional questions.

Kind Regards,

Shannon

Thanks for this Shannon, just what I was looking for!

One question I have as a result of this, I assumed that groups would be synced over, since they are not, is there any way for me to manage group memberships in atlassian from google? Because that would be very helpful to help organise departments and access to different parts of jira etc.

Hi Rob,

It's not currently possible, but we do have a feature request for this: ID-152

It's a long-standing feature request, and I see it had been also requested once before in another ticket: ROTP-3095

It doesn't appear to be in the upcoming roadmap, but I would recommend that you vote on it anyway and leave your feedback on that first ticket.

Let us know if you have any other questions about that!

Kind Regards,
Shannon

Follow up on this now I've gone ahead with it. Is there not a way for me to see who is being synced from google and who is not? Because I have 74 users in the list I am using, however I have 81 users in jira, and it would be good to know where the difference is.

Also, is there no way for me to limit the users based on that list? All users should be under my domain, so I would have assumed it would block all access for users not on that list, otherwise what is the point of having the list? Seems there are a bunch of users that just existed from before the migration, which is fine except for the future I would like to enforce using that list and I can't do that for my domain right now it would seem.

Hi Rob,

There is not currently a way to view a list of users who were specifically synced from Google, but I've just created a feature request for this at ID-6406. In the meantime, you can tell if an individual user was synced when you go to edit the user, and you have an option to edit in Google Apps.

It should not have synced any users not in the group that you selected to sync. If you have any users that seem to have been synced that you did not intend, you can try having a look at the Audit Log and see if you can determine there how the user was created. 

Regarding restricting any users created that were not created by the JIRA sync, any user with site admin rights can create a user and give them access to JIRA. You will need to restrict any users you do not want creating users to ensure any non-Google users do not have access to JIRA. I hope this answers your question but if I missed the mark please let me know.

Kind Regards,
Shannon

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jul 10, 2018 in Confluence

We want to see the templates you've created in Confluence!

Hi Community, Jessica here from the Confluence Product Marketing team!  July’s community challenge is all about sharing pictures  — and as an extension of our first post on what ...

861 views 23 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you