Frequently asked questions when implementing SAML single sign-on
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Purpose
When configuring SAML SSO in an organization, you might have questions related to the implementation and how it will change the experience of the users that work with Atlassian products. In this article, you will find the answer to questions that administrators have once it is implemented.
Questions and answers
| Scenario | Response |
|---|---|
| I am an organization administrator and after configuring SAML, I can no longer log-in. | If some configuration is wrong, this will block any user from the domains to log-in again. According to the SAML SSO article, we can see the following recommendations to avoid scenarios like this one: New incognito window
Temporary administrator outside of the verified domains
Use only test accounts to have SSO enforced prior to the rollout With the Authentication policies feature, you can add specific accounts that will be used to test the SSO implementation on a policy that will have it enforced. This way, if something goes wrong, you can still use the administrator accounts to adjust the configuration.
|
Will the users be locked out during the process to implement SAML? Also, will they be logged out once it is implemented? | No users will be logged out nor locked out if they have active sessions at https://id.atlassian.com/the Atlassian instances sites that they are actively working. |
During the implementation, will there have any downtime? | No. The SAML configuration can be applied at an organization while everyone is working, but, it is highly recommended to do it in offline hours because it is applied as soon as you save it on your Atlassian organization. If SSO is not configured properly, users will not be able to authenticate once their sessions are expired. |
Can I have SAML SSO implemented to users outside of my verified domains? | No. SAML SSO is a policy that is only applied to the managed accounts belonging to the verified domains in the organization as these accounts belong to the policies created by the administrator. For users outside of the verified domains, they will log-in with the credentials for their Atlassian Accounts. |
| Can I test SSO before enabling it? | While we have a suggestion that is in progress for implementation, the Authentication policies feature allows you to only include specific users from a verified domain to have security policies enabled. This way, SSO can be tested for only specific accounts until it is rolled out for the whole organization.
|
Is SAML restricted to the sites from my organization? Can I have SAML applied only to them? | No. When configuring SAML, it will be applied to the managed accounts from the verified domains and their authentication in https://id.atlassian.com which is used to log-in to any existing Atlassian Cloud sites. This means that even for sites that are outside of your organization, where the users have access, they will authenticate via SSO because the policy is implemented at an account level instead of a site only.
|
Can I have multiple SSO configurations at my org? | No. A single SAML configuration is applied to the organization, but, this is something that we are considering and gathering feedback in this suggestion. |
| Can I have SSO applied to a single product? | No. Due to SAML being implemented to the accounts belonging to the verified domains, the user will go through the SSO authentication for any sites that they have access to. |
Can I bypass the managed accounts of my organization from my SSO configuration? For example, a dedicated scope for which users will have it applied. | Yes. With the Authentication policies feature, you can select which users will belong to the security policies configured at the organization. |
I have implemented SAML, but, the users are not being asked to authenticate when they access Atlassian sites. | Users will only be asked to authenticate if they log-out/have their session ended in the https://id.atlassian.com site, which is where it is managed to access any sites. Even after implementing SAML, if the user still has an active session, the SSO authentication will only be required in the next log-in, even if a different site is accessed.
|
Can my users use the local Atlassian account password after SSO is enabled? | No. As soon as SAML is enabled, when the users try to log-in through the site (that will redirect to https://id.atlassian.com) and enter the email address, the SAML SSO redirection will be triggered so the authentication will be finished at the SSO side. |
| At the IDP, the user has multiple email addresses. Which one should I use for the Atlassian account? | When mapping users to SAML, make sure that the NameId value reflects the Atlassian account email. Otherwise:
|
As an organization administrator, you can also contact Atlassian support via email/voicemail to have the configuration removed or receive an email to bypass SSO and re-configure it.