Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-106

Allow Org Admins the ability to test SSO

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Release update

      Hi All,

      We are excited to announce that we have shipped the Authentication policies feature. Using this feature you can test SSO on a few accounts before enabling it across your organization (https://www.atlassian.com/software/access/guide/elements/authentication-policies#why-apply-multiple-authentication-policies). We are still in the last leg of the rollout. If your organization doesn’t have the feature yet, file a support ticket (https://support.atlassian.com/contact/#/) and we will enable the feature for you.

      Thanks,

      The Atlassian Access team.

      Enabling SSO can be an iterative process and there are no proof of concept options.

      The implications of enabling SAML can have wide spread negative consequences if not configured correctly and is complicated further if the Org Admin doesn't have a backup account to let them back to delete the SAML configuration or make SSO changes.

      Suggested Solution

      Allow Org Admins the ability to either simulate or test SSO settings without committing to make the cutover. In doing so, it would boost confidence and admins can better plan for the actual implementation/cutover. Also, allow Org Admins to test Atlassian Access REST API.

      Workaround (Optional) 

      Advise Org Admins to carefully review documentation and consider attempting to cutover to SSO during non peak hours which can include pre-communications to the user community and a follow up note to indicate go or no-go.

            [ACCESS-106] Allow Org Admins the ability to test SSO

            Narmada Jayasankar added a comment -

            Hi,

            We are excited to announce that we have shipped the Authentication policies feature. Using this feature you can test SSO on a few accounts before enabling it across your organization (https://www.atlassian.com/software/access/guide/elements/authentication-policies#why-apply-multiple-authentication-policies). We are still in the last leg of the rollout. If your organization doesn’t have the feature yet, file a support ticket (https://support.atlassian.com/contact/#/) and we will enable the feature for you.

            Thanks,

            The Atlassian Access team.

            Narmada Jayasankar added a comment - Hi, We are excited to announce that we have shipped the Authentication policies feature. Using this feature you can test SSO on a few accounts before enabling it across your organization ( https://www.atlassian.com/software/access/guide/elements/authentication-policies#why-apply-multiple-authentication-policies ). We are still in the last leg of the rollout. If your organization doesn’t have the feature yet, file a support ticket ( https://support.atlassian.com/contact/#/ ) and we will enable the feature for you. Thanks, The Atlassian Access team.

            Eli Stair added a comment -

            In general, the ability to have the SSO settings configured and stored, but not enabled globally (ie the ability to toggle on/off) is both expected "minimum viable product", but also critical to operational practices.  In addition, this could be implemented in a fashion piggybacking on ACCESS-85, where conversely to disabling SSO for administrative users, it could be enabled in limited scope to support testing and a path to application globally.

            Eli Stair added a comment - In general, the ability to have the SSO settings configured and stored, but not enabled globally (ie the ability to toggle on/off) is both expected "minimum viable product", but also critical to operational practices.  In addition, this could be implemented in a fashion piggybacking on ACCESS-85 , where conversely to disabling SSO for administrative users, it could be enabled in limited scope to support testing and a path to application globally.

            Dave Meyer added a comment -

            Hi spencescu,

            Unfortunately we don't have a timeline right now on when we will provide any sandbox capabilities for SAML; our current recommended approach is to test the configuration on a subdomain, like text.yourdomain.com, prior to verifying your production domain.

            Regards,
            Dave Meyer
            Atlassian Access Product Management

            Dave Meyer added a comment - Hi spencescu , Unfortunately we don't have a timeline right now on when we will provide any sandbox capabilities for SAML; our current recommended approach is to test the configuration on a subdomain, like text.yourdomain.com, prior to verifying your production domain. Regards, Dave Meyer Atlassian Access Product Management

            Sherman Pencescu added a comment -

            Is there any ETA for some progress here?

            Sherman Pencescu added a comment - Is there any ETA for some progress here?

            Sherman Pencescu added a comment - - edited

            Some apps have a "SAML test" button in order to verify the config. It seems the Atlassian SAML config (and the Google authentication too for that matter) require DNS changes which need time to propagate - which means downtime beyond an organization's control. 

            I have configured SAML for many apps and it is not a great ordeal, so I suggest to simplify the process.

            Sherman Pencescu added a comment - - edited Some apps have a "SAML test" button in order to verify the config. It seems the Atlassian SAML config (and the Google authentication too for that matter) require DNS changes which need time to propagate - which means downtime beyond an organization's control.  I have configured SAML for many apps and it is not a great ordeal, so I suggest to simplify the process.

            Dave Thomas added a comment -

            I would add also that being able to schedule the outage and have a named Atlassian support rep with SAML configuration knowledge on hand to call immediately to resolve issues would be helpful. Having to submit a ticket and using one time links to access if it goes wrong doesn't speak to a supportive process from the vendor

            Dave Thomas added a comment - I would add also that being able to schedule the outage and have a named Atlassian support rep with SAML configuration knowledge on hand to call immediately to resolve issues would be helpful. Having to submit a ticket and using one time links to access if it goes wrong doesn't speak to a supportive process from the vendor

            Peter Buckley added a comment -

            One possible implementation would be providing the ability to enable SSO for the org, and only apply it "per site" so admins could test on a non-production site.

            Peter Buckley added a comment - One possible implementation would be providing the ability to enable SSO for the org, and only apply it "per site" so admins could test on a non-production site.

            Trey Bornmann added a comment -

            It would be very helpful to have a chart that shows the provisioning aspects of all SSO solutions next to each other (ex: provisioning details, user creation, disabled users, deleted users, sync speed, etc).

             

            Trey Bornmann added a comment - It would be very helpful to have a chart that shows the provisioning aspects of all SSO solutions next to each other (ex: provisioning details, user creation, disabled users, deleted users, sync speed, etc).  

              njayasankar@atlassian.com Narmada Jayasankar
              jworley Jason Worley (Inactive)
              Votes:
              22 Vote for this issue
              Watchers:
              43 Start watching this issue

                Created:
                Updated:
                Resolved: