-
Suggestion
-
Resolution: Unresolved
-
None
-
73
-
Problem
When attempting to unclaim a managed account, the error "Account can only be unclaimed by identity provider" is generated if the user is provisioned.
Admins must currently deprovision a user first, and then they can unclaim them.
Suggested solution
Unclaiming should automatically deprovision a user.
Why this is important
Many identity providers don't support an easy way to deprovision a user (e.g. they don't call Atlassian's "Deactivate A User" API endpoint without deleting the identity provider profile, or just outright don't ever call that API endpoint). This results in admins having to resort to less-than-ideal methods for deprovisioning a user (detailed below) that are time consuming.
Workaround
The provisioning link needs to be removed to allow the account to be un-claimed. Note that unsyncing a user always causes them to lose all synced groups.
- Break the provisioning link for the de-provisioned account using any of the options below.
- Manually call the Delete user in SCIM DB API endpoint.
- Manually call Atlassian's user provisioning "Deactivate a User" API to delete the SCIM user record and unlink the account. Please see this KB article on how to identify the SCIM record for an account.
- In many identity providers, deleting the identity provider account while the account is assigned to the Atlassian Cloud App will cause the user to be delinked.
- Ask Atlassian support to delete the SCIM user record and unlink the account.
- Reactivate the un-linked Atlassian Account via Managed Accounts administration.
- Un-claim the account via the Domain administration.
- is related to
-
ACCESS-1564 Provisioning a user should respect domain claim settings
- Gathering Interest
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
[ACCESS-1478] Domain unclaim should work with provisioned/synced accounts
Support reference count | Original: 72 | New: 73 |
Support reference count | Original: 71 | New: 72 |
Remote Link | New: This issue links to "Page (Confluence)" [ 1015799 ] |
Support reference count | Original: 70 | New: 71 |
Support reference count | Original: 69 | New: 70 |
Support reference count | Original: 68 | New: 69 |
Support reference count | Original: 67 | New: 68 |
Description |
Original:
h3. Problem
When attempting to [unclaim a managed account|https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/#Unclaim-accounts], the error "Account can only be unclaimed by identity provider" is generated if the user is provisioned. Admins must currently deprovision a user first, and then they can unclaim them. h3. Suggested solution Unclaiming should automatically deprovision a user. h3. Why this is important Many identity providers don't support an easy way to deprovision a user (e.g. they don't call [Atlassian's "Deactivate A User" API endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-scim-directory-directoryid-users-userid-delete] without deleting the identity provider profile, or just outright don't ever call that API endpoint). This results in admins having to resort to less-than-ideal methods for deprovisioning a user (detailed below) that are time consuming. h3. Workaround The provisioning link needs to be removed to allow the account to be un-claimed. # Break the provisioning link for the de-provisioned account using any of the options below. ## Manually call the [Delete user in SCIM DB API endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-admin-apis/#api-group-admin-apis]. ## Manually call [Atlassian's user provisioning "Deactivate a User" API|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-scim-directory-directoryid-users-userid-delete] to delete the SCIM user record and unlink the account. Please see this [KB article|https://confluence.atlassian.com/cloudkb/how-to-filter-users-in-provisioning-scim-using-rest-api-1108090980.html] on how to identify the SCIM record for an account. ## In many identity providers, deleting the identity provider account while the account is assigned to the Atlassian Cloud App will cause the user to be delinked. ## Ask Atlassian support to delete the SCIM user record and unlink the account. # Reactivate the un-linked Atlassian Account via Managed Accounts administration. # Un-claim the account via the Domain administration. |
New:
h3. Problem
When attempting to [unclaim a managed account|https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/#Unclaim-accounts], the error "Account can only be unclaimed by identity provider" is generated if the user is provisioned. Admins must currently deprovision a user first, and then they can unclaim them. h3. Suggested solution Unclaiming should automatically deprovision a user. h3. Why this is important Many identity providers don't support an easy way to deprovision a user (e.g. they don't call [Atlassian's "Deactivate A User" API endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-scim-directory-directoryid-users-userid-delete] without deleting the identity provider profile, or just outright don't ever call that API endpoint). This results in admins having to resort to less-than-ideal methods for deprovisioning a user (detailed below) that are time consuming. h3. Workaround The provisioning link needs to be removed to allow the account to be un-claimed. Note that unsyncing a user always causes them to lose all synced groups. # Break the provisioning link for the de-provisioned account using any of the options below. ## Manually call the [Delete user in SCIM DB API endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-admin-apis/#api-group-admin-apis]. ## Manually call [Atlassian's user provisioning "Deactivate a User" API|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-scim-directory-directoryid-users-userid-delete] to delete the SCIM user record and unlink the account. Please see this [KB article|https://confluence.atlassian.com/cloudkb/how-to-filter-users-in-provisioning-scim-using-rest-api-1108090980.html] on how to identify the SCIM record for an account. ## In many identity providers, deleting the identity provider account while the account is assigned to the Atlassian Cloud App will cause the user to be delinked. ## Ask Atlassian support to delete the SCIM user record and unlink the account. # Reactivate the un-linked Atlassian Account via Managed Accounts administration. # Un-claim the account via the Domain administration. |
Summary | Original: Domain unclaim should work with provisioned accounts | New: Domain unclaim should work with provisioned/synced accounts |
Support reference count | Original: 66 | New: 67 |