I'm interested in migrating to google apps sign in for my organisation, however the documentation seems to be a little patchy when it comes to understanding what will happen for existing users, what their flow will look like, etc.
I have an org of about 60-70 people, and therefore if I do the migration I would like to know exactly what state things end up in before I do hit the button and cause confusion throughout the business.
So, in no particular order:
- Once accounts are synced, will it only be possible to log in via google accounts or will it also be possible to continue to log in via the original atlassian password? I can see from https://confluence.atlassian.com/cloud/how-g-suite-users-log-in-744721643.html that the atlassian password remains and needs to be used for some things (that our team won't be using), so I need to make sure that we get the benefits of SSO and MFA through google and this can't just be worked around by someone not realising (or by a malicious party trying to gain access to accounts)
- Do groups in google map to groups in atlassian directly? And therefore should I create groups that I am using right now for application access, permissions access etc? E.g. If I am providing access to jira via a "All Jira" group, should I ensure these groups are set up before I start syncing to avoid people being removed?
- What happens once the sync has taken place in the case of the above where you can only log in via google? Does everyone get logged out and they have to log in via google again? This would be good to know for a comms piece
- I assume the login via google takes the user to the google sign in page to do SSO type signin?
- Based on https://confluence.atlassian.com/cloud/enable-or-disable-g-suite-integration-873918510.html, it says "Your users will still be able to log in to your Atlassian Cloud site with their Google credentials. However, their details won't be synced.". Does this mean that atlassian copies over passwords from google (this would be surprising/not good), or if not how does this continue to work if the SSO link has been broken?
Happy to answer your questions about Google Apps sync.
Let us know if this is clear or if you have any additional questions.
Thanks for this Shannon, just what I was looking for!
One question I have as a result of this, I assumed that groups would be synced over, since they are not, is there any way for me to manage group memberships in atlassian from google? Because that would be very helpful to help organise departments and access to different parts of jira etc.
It's not currently possible, but we do have a feature request for this: ID-152
It's a long-standing feature request, and I see it had been also requested once before in another ticket: ROTP-3095
It doesn't appear to be in the upcoming roadmap, but I would recommend that you vote on it anyway and leave your feedback on that first ticket.
Let us know if you have any other questions about that!
Follow up on this now I've gone ahead with it. Is there not a way for me to see who is being synced from google and who is not? Because I have 74 users in the list I am using, however I have 81 users in jira, and it would be good to know where the difference is.
Also, is there no way for me to limit the users based on that list? All users should be under my domain, so I would have assumed it would block all access for users not on that list, otherwise what is the point of having the list? Seems there are a bunch of users that just existed from before the migration, which is fine except for the future I would like to enforce using that list and I can't do that for my domain right now it would seem.
There is not currently a way to view a list of users who were specifically synced from Google, but I've just created a feature request for this at ID-6406. In the meantime, you can tell if an individual user was synced when you go to edit the user, and you have an option to edit in Google Apps.
It should not have synced any users not in the group that you selected to sync. If you have any users that seem to have been synced that you did not intend, you can try having a look at the Audit Log and see if you can determine there how the user was created.
Regarding restricting any users created that were not created by the JIRA sync, any user with site admin rights can create a user and give them access to JIRA. You will need to restrict any users you do not want creating users to ensure any non-Google users do not have access to JIRA. I hope this answers your question but if I missed the mark please let me know.
Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time! We're looking for people to participate in a remote 1-hr workshop...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs