I'm trying to set up Atlassian Access for SSO with Azure Active Directory and so far, everything is working fine for regular accounts. e.g. firstname.lastname@example.org.
My question is: can Azure B2B guest users also log on to Atlassian Access (e.g. email@example.com)?
On the face of it, it does not seem possible, as their email address domains are not registered as verified domains in Atlassian Cloud. I worked around this by logging in with the Azure UPN (e.g. test1_somedomain.com#EXTfirstname.lastname@example.org), which correctly redirects to the Azure login page.
Atlassian receives the SAML message, but then displays this message:
I assumed that this was due to the fact that Azure would deliver "email@example.com" as an assertion inside the SAML message and Atlassian checks that against the verified domains (say, "verifieddomain.com") and the mismatch leads to the message.
Now, I configured Azure so that "firstname.lastname@example.org" is delivered inside the SAML message:
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>email@example.com</AttributeValue>
The same message still appears though. I'm at a loss now. Any suggestions? Has anybody got this to work?
What exactly is happening behind the scenes here in Atlassian Access?
Thanks and cheers
Hi @Nils Löber ,
The screenshot with the error message seems to be missing. Can you kindly re-upload it so that we can check what is the returned error?
Also, did you actually provision/invite the test user to the instance before trying to log-in?
thank you for your reply. Here is the screenshot again:
The message text is:
Whoops! The email address you entered can't be used to log in here. Try logging in from id.atlassian.com, or check your email address with your Organisation admin.
I did not provision the user, but I did enable "Anyone can join", so I would assume the invitation would not be the problem. (I couldn't get provisioning to work yet and sending an invite by email is tricky in this case because the pseudo-address,i .e. test1_somedomain.com#EXTfirstname.lastname@example.org does not work as an email address alias in Azure)
Thanks and best regards
Hi @Nils Löber ,
Unluckily the screenshot is still missing, however, if I have a correct understanding of what is happening I can say that it is perfectly normal that the 'external' email address does not work since it does not belong to the verified domain for your Organization.
As a workaround you could do something similar:
Let me know if this helps or, if I didn't understand the problem correctly, please provide more details.
Learn how to use two new reports for next-gen projects in Jira Cloud: Cumulative flow diagram and Sprint burndown chart. Ivan Teong, Product Manager, Jira Software, demos the Cumulative ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events