Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

AAD SSO and Guest Users

Edited
Peter Bance
Peter Bance Dec 31, 2020

I have a peculiar issue with Jira Cloud + Atlassian Access. We use SSO (to Azure AD) with automated provisioning for regular users, which works fine. Now, though, we are trying to add a few external partners to our Jira instance. They have Guest accounts in AAD, the provisioning works fine (AAD reports users are successfully created with the correct attributes), but they are not appearing in the "Users" list in Jira, and are unable to log in via our SSO.

I'm sure I'm missing something in the configuration, I just can't work out what/where!

Any pointers on where I should look? Is it more likely to be in Atlassian Access config, or Jira Core/Software?

Follow-up: could it be because I can't add the external partners email domain to "Verified Domains"? I really, really don't want to go creating accounts in our domain for these partners.

Answer
Watch
Like Be the first to like this
2743 views

3 answers

1 accepted

0 votes
Answer accepted
Daniel Ebers
Daniel Ebers
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Dec 31, 2020

Hi Peter,

I remember there has been a discussion around that topic lately which was referred to as a Suggestion in https://jira.atlassian.com/browse/ACCESS-648

Could you please kindly check if this corresponds to your scenario also?
The former request was slightly diverge, but only for some details.

If this matches the current status was that this Suggestion is ongoing and it should not take so long until this is implemented.

Regards,
Daniel

View More Comments
Peter Bance
Peter Bance Dec 31, 2020

Thank you - that's exactly it. I will go comment on the Issue (didn't think to search there).

Like
Daniel Ebers
Daniel Ebers
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Dec 31, 2020

No worries! Here are so many information stored -- which is pretty good -- but sometimes it is hard to find all of them quickly.

Glad this helped!

Like
Reply
0 votes
Wim Abts
Wim Abts Feb 23, 2022

@Christopher Mahoski 

Hi Christopher, 
Did you get this to work? We have the same requirement and are preparing for Cloud migration.

View More Comments
Christopher Mahoski
Christopher Mahoski Feb 23, 2022

No, unfortunately, we've had to stay on-prem for now as well as use other products.  Atlassian is tracking improvements for Q2-Q3 of this year as referenced in this issue.

[ACCESS-102] Enforce security policies for users not on verified domains - Create and track feature requests for Atlassian products.

Like Wim Abts likes this
Wim Abts
Wim Abts Jun 03, 2022

Hi,
But that's only in regard to setting security policies, I don't think that single sign-on will be included in that (only stuff like password strength and 2FA).
We have guest accounts in Azure AD which log on to SharePoint Online, they will have a different password in Atlassian if there's no SSO....

Like
Reply
0 votes
Christopher Mahoski
Christopher Mahoski Aug 04, 2021

Peter, did you ever find a way to have your unmanaged guests login via SSO with AAD?  We're up against the same situation and provisioning isn't the problem.

View More Comments
Peter Bance
Peter Bance Aug 04, 2021

Yes, it's all working since an Atlassian update a while back. I had to tweak the SAML attributes in the Azure AD enterprise app, as the defaults use UPN as UID (which can be "peculiar" for Guest accounts):

image.png

Like
Christopher Mahoski
Christopher Mahoski Aug 05, 2021

Thanks for the quick reply Peter!  We tried provisioning a Guest (different domain than our verified domain) into our Atlassian cloud directory and it imports as a user of the products, but never shows in our directory of managed accounts.  We still seem to not have the ability to scope an authentication policy to anything other than managed accounts, so the guest logging in with an email address and domain different than our verified managed domain still doesn't work.  Are we missing something by chance?

Like
Peter Bance
Peter Bance Aug 06, 2021

Hmm, not a problem I've come across, I'm afraid - I have a single default Authentication Policy set up (applies to "All Users"), with "Enforce SSO" set, as we don't need to support non-SSO users, so it may be I'd have a similar problem if I had to support that. Sadly, it sounds like this needs to be an Atlassian support ticket 😒

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Software
Jira Software
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events

See all events