Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSO still requires to enter email.

Mantas Geležinis
Mantas Geležinis June 18, 2021

Hello,

We are trying to implement SSO using Atlassian Access and we are facing little problem.

Situation: We have Cloud instance and separate app that is using same users from OneLogin directory. When first login is initiated in our app and then we go to Jira Cloud we are required to enter an email. If email ends up with verified domain Jira redirects us to Single Sign-on provider and log us in.

Problem: We want to avoid entering email if we are already authenticated with our identity provider. Is it possible?

Answer
Watch
Like Be the first to like this
2784 views

1 answer

1 accepted

0 votes
Answer accepted
Boris Berenberg - Atlas Authority
Boris Berenberg - Atlas Authority
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 19, 2021

The only way to bypass entering your email would be to have the user start from the SSO tool. For example, clicking the chicklet in Okta or something.

View More Comments
Mantas Geležinis
Mantas Geležinis June 20, 2021

Thank you Boris!

I was able to retrieve users jira app ID from onelogin api and generate same url as onelogin uses to redirect after clicking that clicklet. 

https://{mydomain}.onelogin.com/client/apps/select/{userAppID}/?RelayState={redirectURl}

OneLogin api endpoint for userApps:
https://developers.onelogin.com/api-docs/2/users/get-user-apps

Like
Martin Notz
Martin Notz
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 8, 2022

Is there a solution for this problem? We have the same problem with Microsoft Azure and we don't find a solution for our users. We use Jira Service Management and want to use the portal...

Like
Andrew Barnes
Andrew Barnes October 27, 2022

We're having the same issue.

Like
John M_
John M_ June 8, 2023

With SAML SSO there is the SP (Service Provider) and IDP (Identity Provider) initiated flow.

In case you have SSO configured for Atlassian Access (SP) with Azure AD (IDP) you have the following situation:

 

The IDP-initiated flow (via myapps.microsoft.com) will do a number of redirects and provide seamless sign-in to the end user without having to enter an email address if the user is already authenticated on the Microsoft platform. You can find the URL in the AzureAD admin portal under Applications -> Enterprise Applications -> Jira Cloud -> properties -> User Access URL

The SP-Initiated flow does prompt the user for either an email address and gives the button "Continue with Microsoft" to directly sign-in with the MS account. If the user is already signed in to Microsoft (through AAD joined computer) then the sign-in is seamless after clicking the button.

Challenges:
While it technically works, I have a few challenges with the way Atlassian implemented SSO.

While the IDP-Initiated flow is seamless, it does create a number of redirects causing a few seconds for the user to see the customer portal. This is not giving an ideal user experience if the users is clicking the link multiple times a day to create tickets or read KB articles.

The SP-Initiated flow requires user education. We need to train users to click the Sign-in with Microsoft button. Once signed in, session cookies will be retained for 30 days. Hence the user will not be prompted again.

Ideal solution:

Would be to find some kind of way to authenticate the user at sign-in creating the session cookie in the background. So far I've not found a way of achieving this.

Like # people like this
Gottlob Brodbeck
Gottlob Brodbeck
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 25, 2023

Is there anyone where has found a solution for this problem in the meantime? In my opinion, it is more than catastrophic that Atlassian cannot offer a meaningful solution here.

Like Dolezal, Adam D likes this
Dolezal, Adam D
Dolezal, Adam D
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 23, 2024

We agree--this is a huge annoyance for our users and no other platform we use has this kind of experience.

Like Simon_Francis likes this
Simon_Francis
Simon_Francis
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 5, 2024

This issue has been ongoing since 2021 with no comment from Atlassian other than "No it can't be done" when it's clearly an ongoing concern. Can we have this looked at? I had a call from my CEO today complaining about this issue when he is clicking an approval email. It needs to be investigated further. This is ridiculous. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Atlassian Guard
TAGS
AUG Leaders

Atlassian Community Events

    See all events