Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Can Azure AAD Guest Users log in with Atlassian Access?

Deleted user August 29, 2019

Hi all,

I'm trying to set up Atlassian Access for SSO with Azure Active Directory and so far, everything is working fine for regular accounts. e.g. account@verifieddomain.com.

My question is: can Azure B2B guest users also log on to Atlassian Access (e.g. account@somedomain.com)?

On the face of it, it does not seem possible, as their email address domains are not registered as verified domains in Atlassian Cloud. I worked around this by logging in with the Azure UPN (e.g.  test1_somedomain.com#EXT#@verifieddomain.com), which correctly redirects to the Azure login page. 

Atlassian receives the SAML message, but then displays this message:

I assumed that this was due to the fact that Azure would deliver "test1@somedomain.com" as an assertion inside the SAML message and Atlassian checks that against  the verified domains (say, "verifieddomain.com") and the mismatch leads to the message.

Now, I configured Azure so that "whatever@verifieddomain.com" is delivered inside the SAML message:

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>whatever@verifieddomain.com</AttributeValue>

The same message still appears though. I'm at a loss now. Any suggestions? Has anybody got this to work? 

What exactly is happening behind the scenes here in Atlassian Access?

 

Thanks and cheers
Nils

Answer
Watch
Like Be the first to like this
2471 views

1 answer

0 votes
Dario B
Dario B
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 30, 2019

Hi @[deleted] ,

The screenshot with the error message seems to be missing.  Can you kindly re-upload it so that we can check what is the returned error?

Also, did you actually provision/invite the test user to the instance before trying to log-in? 

 

Thanks,
Dario

View More Comments
Deleted user September 5, 2019

Hi Dario,

thank you for your reply. Here is the screenshot again:

The message text is:

Oops, there was an error logging you in.

Whoops! The email address you entered can't be used to log in here. Try logging in from id.atlassian.com, or check your email address with your Organisation admin.

Configuration guide and troubleshooting

 

I did not provision the user, but I did enable "Anyone can join", so I would assume the invitation would not be the problem. (I couldn't get provisioning to work yet and sending an invite by email is tricky in this case because the pseudo-address,i .e. test1_somedomain.com#EXT#@verifieddomain.com does not work as an email address alias in Azure)

Thanks and best regards
Nils

Like
Dario B
Dario B
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 17, 2019

Hi @[deleted] ,

Unluckily the screenshot is still missing, however, if I have a correct understanding of what is happening I can say that it is perfectly normal that the 'external' email address does not work since it does not belong to the verified domain for your Organization.

As a workaround you could do something similar:

  1. Create in AD a groups for the guests accounts
  2. Create a temporary email address (valid) for the user that is something like user_somedomain.com@verifieddomain.com and add it to the group
  3. Synchronize the group so the the user will be provisioned to the instance (see the User Provisioning page for details on how to do so)
  4. Once the project is over, deactivate the user in AD and this way, since the group is synchronized, it will be removed from your site as well.

 

Let me know if this helps or, if I didn't understand the problem correctly, please provide more details.

 

Cheers,
Dario

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events