Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
29
-
Description
Problem
When attempting to unclaim a managed account, the error "Account can only be unclaimed by identity provider" is generated if the user is provisioned.
Admins must currently deprovision a user first, and then they can unclaim them.
Suggested solution
Unclaiming should automatically deprovision a user.
Why this is important
Many identity providers don't support an easy way to deprovision a user (e.g. they don't call Atlassian's "Deactivate A User" API endpoint without deleting the identity provider profile, or just outright don't ever call that API endpoint). This results in admins having to resort to less-than-ideal methods for deprovisioning a user (detailed below) that are time consuming.
Workaround
The provisioning link needs to be removed to allow the account to be un-claimed.
1. De-provision the accounts by removing them from all the provisioned groups and the scope of provisoning.
2. Break the provisioning link for the de-provisioned account using either of the options below.
- Manually call Atlassian's user provisioning "Deactivate a User" API to delete the SCIM user record and unlink the account. Please see this KB article on how to identify the SCIM record for an account.
- Ask Atlassian support to delete the SCIM user record and unlink the account.
3. Reactivate the un-linked Atlassian Account via Managed Accounts administration.
4. Un-claim the account via the Domain administration.