Details
-
Suggestion
-
Resolution: Fixed
-
None
-
113
-
Description
We've rolled out a change in Atlassian Administration to show warnings when organization admins add/edit an authentication policy with single sign-on (SSO) and when they update SAML configuration.
Please see our support documentation on testing your authentication policy (including SSO) on a smaller subset of users before rolling it out
Problem Definition
When an org admin is trying to Configure SAML single sign-on with an identity provider and the org. admin(s) are included in the enforced SSO policy - the org. admin(s) can get locked out of their account if there is an issue with the SAML configuration.
Suggested Solution
- There should be a UI warning message when configuring authentication policies to warn admins that they have an "org admin" account in an authentication policy where enforced SSO is enabled
- The Message can warn the admin about their own org admin account being locked out
Why this is important
- If there is a problem with the SAML configuration org. admin(s) will end up being locked out of their own organization and are forced to contact support for assistance
- This can help reduce contact index and alleviate support load
- Usually when this happens all on the org. users can't log in either, so admins need to recover access quickly and fix the SAML configuration issue
Workaround
- When testing, exclude the org. admin(s) from authentication policies where enforced SSO is enabled. This is to ensure that the org. admin(s) are not locked out if there is an issue with the SAML configuration
- Add another org admin. who is on a domain that is not claimed by the Atlassian organization
Attachments
Issue Links
- is related to
-
ACCESS-1005 Improve error message for deleting configuration for SAML while in use by authentication policy
- Gathering Interest
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
- relates to
-
ACE-3514 Loading...