Customer Login to Jira Cloud using Adfs

Hi @Anandaraj M ,

In order to summarize what written by my colleague @Andy Heinzer and add some more details:

• The documentation page explaining how to configure ADFS is: Configure SAML single sign-on with Active Directory Federation Services (AD FS).
• By configuring SAML SSO only, you only tell Jira that some users having a determined email address domain will be able to log-in using SSO. You do not touch the users in Jira at all unless you use/configure User Provisioning. 
  For details on this please see:
  
  • SAML single sign-on 
  • User Provisioning
  • Configure user provisioning

I hope this explains. 

Cheers,
Dario

Hi Andy / Dario,

Thank you for your guidance and suggestion.

Anand.

Hi Andy,

Thanks for the clarification.

We need to complete the AD FS to make it as a single sign-on, however this process will take time minimum 2 months from our end. Hence, we are planning to do this customer creation in 2 Phases.

Phase-1 – We wanted to upload the customer details in the Jira Cloud manually and set individual passwords so that we can start using the Jira Cloud for Service Desk ticketing. Approximately, the customer email ID will be 2500.

Phase-2 – Once the AD FS is ready, we will plan to Sync the customer details in Jira Cloud so that AD password can be used so that we can make it as a single sign-on.

In this regards, ID created in Jira during Phase-1 will be the similar IDs which will be Sync in Phase-2. As per your input, we understand that we will be not have any issues during Phase-2 implementation and users can access the Jira Cloud with their existing IDs using FSS Active Directory password.

“So for Atlassian Cloud, the email addresses your users currently have in that site and the email addresses found in AD FS will determine if new accounts are created or just existing accounts are updated.  If there are uniquely different email addresses between the two locations, then I'd expect new accounts to be added.  Otherwise, I'd expect there to only be a single account for that account.”

Anand.

Hi Andy, 

Can you please confirm the above points.

Anand.

Hi @Anandaraj M 

Thanks for the additional information about your use case here.

In your Phase 2 steps, the user email addresses need to be exactly the same in the new user directory (not just similar) as the existing accounts in the current directory in order for them to be linked up when you sync this new external directory to Atlassian Cloud.   This is noted in the guide linked above:

After you connect your identity provider to your Atlassian organization, synced directory groups appear in your Atlassian organization and you're unable to make changes to a user's account from the organization.

If your Atlassian organization already has existing users:

• And the identity provider has a user with the same email address as a user in your organization, we'll create a link between both user accounts. Going forward, you can only make changes to the user's account from your identity provider.

As for Phase 1: I don't believe it will be possible for you to manually create these user accounts on behalf of all those users AND set the password for them in Atlassian Cloud today.  There currently is not a means for you to just upload a file (such as a csv) of user accounts complete with their passwords defined in Jira Cloud.  There is a feature request for a means to bulk account create in Service Desk Cloud in JSDCLOUD-1829 - Bulk Import Customers from External File.  But this request does indicate the methods that you can use to at least create those 2500 Service Desk customer accounts in Atlassian Cloud.

Workaround

• New Customers can be created manually
  • Use the Invite Customers Link and specify each Email Address for New Customers (space delimited for multiple addresses; eg email1@domain.com email2@domain.com etc)
• Each Customer can self-register to access the Service Desk (if configured for self sign-up)
• Create a customer via REST API

Please note that all these workarounds just create the account itself.  These do not actually allow you anywhere within Jira to set that user account's password directly.  Instead the invitation method is what is suggested here so that the end users get an email that invites them to this site to complete their own account credentials in the signup stage.

I hope this helps.

Please let me know if you have any concerns about these steps.

Andy

Thanks again Andy. Surely will get back to you if we have any concern on the above workaround.

Meanwhile can you please share the list of public IP address and ports details which need to whitelisted in our Network firewall. So that the users are able access only our JIRA portal (https://financialsoftwaresystems.atlassian.net/).

Anand

Hi @Anandaraj M 

I am afraid that our Atlassian Cloud services could be using any of the IP addresses listed on the site https://ip-ranges.atlassian.com/. There is also another documented guide about the domain names in use you can find in https://confluence.atlassian.com/cloud/atlassian-cloud-ip-ranges-and-domains-744721662.html

However, I do not know for sure that you could prevent your users from accessing other Atlassian Cloud sites without also potentially restricting your own.  The nature of the Atlassian Cloud services means that all these cloud sites could be utilizing nearly all of the shared addresses/domains on the back end.  Perhaps you could restrict all the *.atlassian.net and *.jira.com (a legacy Atlassian Cloud address) domains in your network, except for your own of financialsoftwaresystems.atlassian.net.  If you did this, but still whitelisted all the other domains and addresses in those two links above, then your users should still be able to access your Cloud site.

As for the ports needed, we do not appear to have this detail documented for our Cloud services.  However I would expect that your end users would need to have outbound access these above addresses over ports 80 and 443 at the very least.  This would also seem to be confirmed in the related post of https://community.atlassian.com/t5/Jira-Core-questions/What-ports-does-JIRA-Cloud-use/qaq-p/286736

But depending on what other integrations you might have with your Atlassian Cloud site, such as your Atlassian Cloud site accessing an external email service, if that mail server is behind your firewall, then you would need to open inbound access over SMTP, IMAP, or POP protocols, such as 25, 465, 993 for your Cloud site to be able to access that email account.

Andy

Hi Andy,

Thank you. Can you please help me how to configure SLA and SLA email alerts? 

Thanks

Anandaraj.M

Hi,

Since this latest question is rather different than the original topic, I would instead invite you to create a new question in the Jira Service Desk collection.  This way your question will be more easily searchable by other users that might have the same concerns. 

Since we know you're likely using Jira Service Desk Cloud here, I would start with the guide in Create service level agreements (SLAs) to manage your team's service goals.  However if this is insufficient, please create a new question and we will try to better answer any concerns you might have about setting this up.

Thanks

Andy