SAML login fails for a user whose email was changed
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
You may have done an email address change for a managed account but rather than seeing the email address in Atlassian account updated, the user now may have a brand new Atlassian account. The user maybe unable to login and may be getting this error:
- "Hang on, we need to verify a few things before you can log in"
- Email address change tracking requires that the identity provider send us a unique, unchanging id for the user.
- This id goes in one of four SAML attributes:
- A frequent misconfiguration at an identity provider is to place the user's email address in this field. If this happens, we cannot track email address changes.
- General Resolution
- A quick correction would be to do this by configuring the identity provider to put a unique, unchanging id (such as employee number) in one of these SAML attributes.
- This can be looked at as a means to avoid any similar issue in future as well - in case the Identity provider hits this error ever at all
- Another variation of this issue could be specific to Azure
- You may have had a change of domain for all your users , meaning something along the lines of all users at <email>@old.domain changed to <email>@new.domain , you make this change correctly at IDP , expecting that when customer logs in next should work
- Then you would see that this is not the case. Users who try to login with their new email domain address do not get access as their Atlassian Account is not updated to the new email address
- The first place to check is to see if the Azure MFA/SAML config has the correct user identifier updated , you may have to change this from user.mail to user.userprincipalname which is the static variable compared to user.mail
- Also as a means of easing efforts for Organisation admins , Atlassian Development teams is expected to start working on a related Feature Request - ACCESS-609Getting issue details... STATUS . The feature request is all about allowing org admins to address this situation quicker on their own.