It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Customer Login to Jira Cloud using Adfs Edited

Hi,

 

I am using jira cloud. how to configure ADFS, Once ADFS is configured does it impact the existing customers?

In another word does ADFS would overwrite the existing customer ID or it will create second (duplicate) ID for the customer.

Please suggest 

Thanks

Anandaraj.M

 

 

1 answer

0 votes
Andy Heinzer Atlassian Team Oct 10, 2019

Hi,

I understand that you have Jira Cloud and want to learn more about using AD FS with it.  Atlassian has recently published a guide that will be helpful here.  Please see, Configure SAML single sign-on with Active Directory Federation Services (AD FS).

In order to use AD FS with Atlassian Cloud, you will need to subscribe your Cloud site to Atlassian Access.

As for what this does to your existing accounts, there are related documents that explain this as well, check out Atlassian Access - User provisioning - Supported user account operations.

Supported user account operations

When you perform these user management operations from your identity provider, your updates will sync with your Atlassian Cloud organization.

We only sync user accounts from your identity provider to your Atlassian organization when they have email addresses from verified domains. We won't create, link, or update user accounts in Atlassian Cloud with email addresses outside of your verified domains (e.g. gmail.com or yahoo.com).

So for Atlassian Cloud, the email addresses your users currently have in that site and the email addresses found in AD FS will determine if new accounts are created or just existing accounts are updated.  If there are uniquely different email addresses between the two locations, then I'd expect new accounts to be added.  Otherwise, I'd expect there to only be a single account for that account.

I hope this helps.

Andy

Dario Atlassian Team Oct 11, 2019

Hi @Anandaraj M ,

In order to summarize what written by my colleague @Andy Heinzer and add some more details:

I hope this explains. 

 

Cheers,
Dario

Hi Andy / Dario,

Thank you for your guidance and suggestion.

Anand.

Like Dario likes this

Hi Andy,

Thanks for the clarification.

We need to complete the AD FS to make it as a single sign-on, however this process will take time minimum 2 months from our end. Hence, we are planning to do this customer creation in 2 Phases.

Phase-1 – We wanted to upload the customer details in the Jira Cloud manually and set individual passwords so that we can start using the Jira Cloud for Service Desk ticketing. Approximately, the customer email ID will be 2500.

Phase-2 – Once the AD FS is ready, we will plan to Sync the customer details in Jira Cloud so that AD password can be used so that we can make it as a single sign-on.

In this regards, ID created in Jira during Phase-1 will be the similar IDs which will be Sync in Phase-2. As per your input, we understand that we will be not have any issues during Phase-2 implementation and users can access the Jira Cloud with their existing IDs using FSS Active Directory password.

So for Atlassian Cloud, the email addresses your users currently have in that site and the email addresses found in AD FS will determine if new accounts are created or just existing accounts are updated.  If there are uniquely different email addresses between the two locations, then I'd expect new accounts to be added.  Otherwise, I'd expect there to only be a single account for that account.

Anand.

Hi Andy, 

Can you please confirm the above points.

Anand.

Andy Heinzer Atlassian Team Oct 17, 2019

Hi @Anandaraj M 

Thanks for the additional information about your use case here.

In your Phase 2 steps, the user email addresses need to be exactly the same in the new user directory (not just similar) as the existing accounts in the current directory in order for them to be linked up when you sync this new external directory to Atlassian Cloud.   This is noted in the guide linked above:

After you connect your identity provider to your Atlassian organization, synced directory groups appear in your Atlassian organization and you're unable to make changes to a user's account from the organization.

If your Atlassian organization already has existing users:

  • And the identity provider has a user with the same email address as a user in your organization, we'll create a link between both user accounts. Going forward, you can only make changes to the user's account from your identity provider.

As for Phase 1: I don't believe it will be possible for you to manually create these user accounts on behalf of all those users AND set the password for them in Atlassian Cloud today.  There currently is not a means for you to just upload a file (such as a csv) of user accounts complete with their passwords defined in Jira Cloud.  There is a feature request for a means to bulk account create in Service Desk Cloud in JSDCLOUD-1829 - Bulk Import Customers from External File.  But this request does indicate the methods that you can use to at least create those 2500 Service Desk customer accounts in Atlassian Cloud.

Workaround

  • New Customers can be created manually
    • Use the Invite Customers Link and specify each Email Address for New Customers (space delimited for multiple addresses; eg email1@domain.com email2@domain.com etc)
  • Each Customer can self-register to access the Service Desk (if configured for self sign-up)
  • Create a customer via REST API

Please note that all these workarounds just create the account itself.  These do not actually allow you anywhere within Jira to set that user account's password directly.  Instead the invitation method is what is suggested here so that the end users get an email that invites them to this site to complete their own account credentials in the signup stage.

I hope this helps.

Please let me know if you have any concerns about these steps.

Andy

Thanks again Andy. Surely will get back to you if we have any concern on the above workaround.

Meanwhile can you please share the list of public IP address and ports details which need to whitelisted in our Network firewall. So that the users are able access only our JIRA portal (https://financialsoftwaresystems.atlassian.net/).

Anand

Andy Heinzer Atlassian Team Oct 30, 2019

Hi @Anandaraj M 

I am afraid that our Atlassian Cloud services could be using any of the IP addresses listed on the site https://ip-ranges.atlassian.com/. There is also another documented guide about the domain names in use you can find in https://confluence.atlassian.com/cloud/atlassian-cloud-ip-ranges-and-domains-744721662.html

However, I do not know for sure that you could prevent your users from accessing other Atlassian Cloud sites without also potentially restricting your own.  The nature of the Atlassian Cloud services means that all these cloud sites could be utilizing nearly all of the shared addresses/domains on the back end.  Perhaps you could restrict all the *.atlassian.net and *.jira.com (a legacy Atlassian Cloud address) domains in your network, except for your own of financialsoftwaresystems.atlassian.net.  If you did this, but still whitelisted all the other domains and addresses in those two links above, then your users should still be able to access your Cloud site.

As for the ports needed, we do not appear to have this detail documented for our Cloud services.  However I would expect that your end users would need to have outbound access these above addresses over ports 80 and 443 at the very least.  This would also seem to be confirmed in the related post of https://community.atlassian.com/t5/Jira-Core-questions/What-ports-does-JIRA-Cloud-use/qaq-p/286736

But depending on what other integrations you might have with your Atlassian Cloud site, such as your Atlassian Cloud site accessing an external email service, if that mail server is behind your firewall, then you would need to open inbound access over SMTP, IMAP, or POP protocols, such as 25, 465, 993 for your Cloud site to be able to access that email account.

Andy

Hi Andy,

Thank you. Can you please help me how to configure SLA and SLA email alerts? 

Thanks

Anandaraj.M

Andy Heinzer Atlassian Team Nov 11, 2019

Hi,

Since this latest question is rather different than the original topic, I would instead invite you to create a new question in the Jira Service Desk collection.  This way your question will be more easily searchable by other users that might have the same concerns. 

Since we know you're likely using Jira Service Desk Cloud here, I would start with the guide in Create service level agreements (SLAs) to manage your team's service goals.  However if this is insufficient, please create a new question and we will try to better answer any concerns you might have about setting this up.

Thanks

Andy

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira

Demo Den Ep. 7: New Jira Cloud Reports

Learn how to use two new reports for next-gen projects in Jira Cloud:  Cumulative flow diagram and Sprint burndown chart. Ivan Teong, Product Manager, Jira Software, demos the Cumulative ...

334 views 1 3
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you