Google Apps group-based syncing FAQs

This frequently asked question page covers frequently asked questions about the Google Apps integration and group-based syncing. To get group-based syncing, you'll need to set up Google apps.


I've integrated my site with Google Apps, but I don't have group-based syncing. How do I switch to group-based syncing?

From your current Google Apps integration, click Disconnect to disable the integration, then reconnect your integration.

You'll notice changes to your integration experience and how it works.

After I grant the permissions required, I cannot sync my users. What's wrong? 

To connect to Google Apps, you must be an admin on your Google Apps account and have the correct permissions. Make sure you have the following required admin privileges:

If I have an Atlassian account...

If you aren't sure whether you have an Atlassian account, navigate to your Atlassian site. If you see the following screen, then Atlassian accounts are enabled:

How does group-based syncing work?

To set up group-based syncing, you'll need to connect your Atlassian site to your Google Apps account and select the group(s) that you want to sync to your Atlassian site. When you choose to sync, the following things occur:

  • Users who are new to your Atlassian site—We'll provision and invite these users, giving them default application access the first time the sync runs. As a result, you can start mentioning them in comments or issues even before they start using the product.
  • Existing users on your Atlassian site—We'll link them to their Google Apps account the first time the sync runs, based on their primary email address.

Users on your verified Google domains:

  • Click the Log in using Google button to log in.

    If your users are unable to log in with Google, it may be because they signed up for an Atlassian account using an email alias. If that's the case, see I can't log in to my Atlassian account using my Google credentials because I use an email alias.

  • Need to contact their Google Apps admin to change their Atlassian account details (full name and email address). 
  • Now change their password from Google.
  • Have their name and email address synchronized from Google to their Atlassian account every 4 hours.

As an admin, you'll manage the following from the Google admin panel:

  • Your users' account details, which will be synced to your Atlassian site every 4 hours.
  • Your user password policy and password resets.

We'll automatically claim the domain(s) on your Google Apps account on your behalf, which will allow you to change user account details. Anyone who has an Atlassian account on your verified domains will receive an email informing them that their account is now managed. You can learn more about managed accounts and domain claims.

What changes when I switch my current integration to group-based syncing?

The following things will change when you start using group-based syncing:

Without group-based syncing With group-based syncing
Any user coming from your Google Apps account can sign up for access to your site.

You can explicitly select who you would like to have access to your site.

To allow anyone with a verified email address to still sign up for your site, you can enable domain restricted signup. From the Site administration, go to the Sign up options page.

Your bill was based on users who signed up on their own. Your bill is now a combination of the group(s) members you selected to sync and (if you complete domain restricted sign up) those who sign up themselves.
Google updates your users' details each time they logged in. Google updates the Atlassian account details of your users in the synced group(s) every 4 hours.

I can't log in to my Atlassian account using my Google credentials because I use an email alias.

You can log in at id.atlassian.com/login?saml=false to bypass the forced Google login. We highly recommend that your users with accounts using email aliases change their email to their primary email address.

If I don't have an Atlassian account...

We highly recommend that you enable single sign-on in the Single sign-on tab of Site Administration and read the I have an Atlassian account section. This is our upgraded login experience which will allow Google login for all of your existing users. If you choose to enable group-based syncing without first enabling SSO, your users may have issues with logging in and accessing your site. 

How does group-based syncing work?

To set up group-based syncing, you'll need to connect your Atlassian site to your Google Apps account and select the group(s) that you want to sync to your Atlassian site. When you choose to sync, the following things occur:

  • Users who are new to your Atlassian site—We'll provision and invite these users, giving them default application access the first time the sync runs. As a result, you can start mentioning them in comments or issues even before they start using the product.
  • Existing users on your Atlassian site (and in the synced groups)—We'll link them to their Google Apps account the first time the sync runs, based on their primary email address.
  • Existing users on your Atlassian site (not in the synced groups)—We can't link them to their Google Apps account. Enable SSO (Atlassian account) to solve this issue. 

Users on your verified Google domains:

  • Click the Log in using Google button to log in.

    If your users are unable to log in with Google, it may be because they signed up for an Atlassian account using an email alias. If that's the case, see I can't log in to my Atlassian account using my Google credentials because I use an email alias.

  • Need to contact their Google Apps admin to change their Atlassian account details (full name and email address). 
  • Have their name and email address synchronized from Google to their Atlassian account every 4 hours.

As an admin, you'll manage your users' account details from the Google admin panel, which will be synced to your Atlassian site every 4 hours.

We'll automatically claim the domain(s) on your Google Apps account on your behalf, which will allow you to change user account details. Anyone who has an Atlassian account on your verified domains will receive an email informing them that their account is now managed. You can learn more about managed accounts and domain claims.

What changes when I switch my current integration to group-based syncing and don't have SSO (Atlassian account)?

The following things will change when you start using group-based syncing:

Without group-based syncing With group-based syncing
Any user coming from your Google Apps account can sign up for access to your site.

You can explicitly select who you would like to have access to your site.

To allow anyone with a verified email address to still sign up for your site, you can enable domain restricted signup. From the Site administration, go to the Sign up options page.

Your bill was based on users who signed up on their own. Your bill is now a combination of the group(s) members you selected to sync and (if you complete domain restricted sign up) those who sign up themselves.
Google updates your users' details each time they logged in. Google updates the Atlassian account details of your users in the synced group(s) every 4 hours.
Your users can log in using Google.

For your users to continue to Log in using Google, they need to belong to the group(s) of users that are being synced from Google. To prevent issues that may come up, enable single sign-on in the Single sign-on page of your Site administration.

I don't have group-based syncing enabled. What changes when I enable SSO (Atlassian account)?

The following things will change when you enable SSO:

Without SSO With SSO
Your site's users can choose whether to log in using Google or to log in using an email and password.

Any Atlassian account users coming from your Google domain(s) will be required to log in your Atlassian site using their Google credentials.

If your users created Atlassian accounts using email aliases, they may be unable to log in to their account. To regain access, they can login at the following URL: id.atlassian.com/login?saml=false. We highly recommend that your users change the email address of any Atlassian accounts that were created using an email alias. 

You reset your users' passwords or set a password policy from the Site administration.
You'll reset your users' passwords or change your password policy from Google's admin panel because your users will use their Google credentials to log in. 

I have group-based syncing enabled. What changes when I enable SSO (Atlassian account)?

The following things will change when you enable SSO:

Without SSO With SSO
Your site's users can choose whether to log in using Google or to log in using an email and password.

Any Atlassian account users coming from your Google domain(s) will be required to log in your Atlassian site using their Google credentials.

If your users created Atlassian accounts using email aliases, they may be unable to log in to their account. To regain access, they can login at the following URL: id.atlassian.com/login?saml=false. We highly recommend that your users change the email address of any Atlassian accounts that were created using an email alias. 

You reset your users' passwords or set a password policy from the Site administration.
You'll reset your users' passwords or change your password policy from Google's admin panel because your users will use their Google credentials to log in. 
We automatically claimed the domain(s) on your Google Apps account on your behalf.

Because your domain(s) will be already claimed, you'll have greater control over any Atlassian accounts that belong to your Google domains, and you'll be able to change the account's details.

I have my Google Apps integration configured and I've enabled SSO (Atlassian account). Now my users can't login.

It may be that your users signed up for an Atlassian account using an email alias. They can log in at id.atlassian.com/login?saml=false to bypass the forced Google login. We highly recommend that your users with accounts using email aliases change their email to their primary email address.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport