We use Atlassian Access, Jira, Jira Service Desk & Confluence and have configured SAML Single Sign On.
We are soon to change our primary email domain used by our SAML service. Will this break our existing Jira configuration? What do we do to migrate all users to the new email address?
Many thanks.
Hi Kieren,
Thanks for using Atlassian Community.
The SAML-SSO integration in Atlassian Access can implement the change. When you update the email address of the user on the IDP side, the change will be propagated to Atlassian side on the user's next login.
Once the account on Atlassian side is updated with the new email address, the end user will continue to have access to their Atlassian cloud data prior to the change, that includes Jira, Confluence and JSD on cloud.
Prerequisites :
1. The new domain is claimed on the Atlassian Access organization.
2. The target email address should not be an existing Atlassian Account otherwise the change propagation will fail.
Once you add the new domain in your organization, the Managed Accounts section will start to list all Atlassian Accounts under the new domain.
TIP : Deleting an account has a grace period of 2 weeks. The quickest method to free up the target email address is to change the account's email address in Managed Accounts to a dummy one.
Procedure :
Just a watch out if you are using Azure AD, check the attribute mapping for the SAML-SSO setup. The Azure attribute (UPN or mail) that is mapped to the "Unique User Identifier (Name ID)" will be the value that will trigger the change into Atlassian.
I hope this helps.
Cheers,
Ramon
Such a great answer. Full of detail. Thank you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Glad to help Kieren and good luck!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ramon,
We're using standard server licenses. We've Azure AD, Office 365. Following is our Atlassian products version. What is the best way to implement SSO without installing/purchasing Add-on.
Jira 7.12.3
Confluence 7.2.2
Bitbucket 6.9.2
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello, I know that this is an old answer but I have a question about it and I hope someone is going to be able to answer me.
What if I also provision my users from Azure AD and they're periodically synced, wouldn't the emails of the users automatically get updated when they get synced after the domain change ?
Thanks,
Qusai Atoon.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Very good! I would assume this is the same case with moving to a new AzureAD tenant with a new domain name?
We are in the middle of a M&A and we plan on migrating our users into the parent company. We would like to shift our Atlassian account to the new parent company and migrate atlassian SSO from our current AzureAD tenant to the new parent company AzureAD tenant. This would involve changing all of our users email addresses to the new parent domain and continue authing using SSO. We want to keep all data associated. I don't see this to much different than a domain name change, but wanted to make sure.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matthew,
It will not work in that case because the SSO link used by the automatic email address change will be invalidated when switching Azure implementations.
You will need to perform an account migration in that case.
I hope this helps.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, this is very helpful! This still seems very attainable with minimal downtime and impact to the business. Will all existing data and permissions be retained after switching the user email addresses? I assume when you say account migration, you refer to the migration of the identity services and not an entire org migration to a new atlassian account.
Lastly, will this change the primary url seen throughout the atlassian account? Ideally the URL will reflect the new domain we are moving to as we start rebranding the account.
While this seems straight forward I have bigger concerns with integrations and opsgenie.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, the Atlassian accounts will continue to have access to the sites and their existing data after the change. They are simply identified under the new email address.
The change I mentioned indeed only covers the identity part. For the URL of your cloud sites, you will need to arrange the site rename separately by following this KB article.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.