-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
Component/s: IdP SSO - Google Cloud (G Suite)
-
None
-
3
-
Severity 3 - Minor
Issue Summary
Set Email REST APIs fails for non-provisioned users enforced with Google Workspace SSO
Error :
{
"key": "forbidden.action",
"context": {
"allowed": false,
"reason": {
"key": "externalDirectory.google"
}
},
"errorKey": "forbidden.action",
"errorDetail": {
"allowed": false,
"reason": {
"key": "externalDirectory.google"
}
}
}
Steps to Reproduce
- Setup Google Workspace integration
- Confirm that the user is part of the Authentication Policy of Google Workspace enforced with SSO
- Remove the user account from the SCIM Sync or disable the sync
- Change email is now allowed via the managed account admin UI
- Use the REST API end point https://api.atlassian.com/users/<accountid>/manage/email to change the user email
Expected Results
As the account is locally managed we should be able to set new email for the user.
Actual Results
The email update fails with the below error
{
"key": "forbidden.action",
"context": {
"allowed": false,
"reason": {
"key": "externalDirectory.google"
}
},
"errorKey": "forbidden.action",
"errorDetail": {
"allowed": false,
"reason": {
"key": "externalDirectory.google"
}
}
}
Workaround
Option 1 : The email can be updated from the UI. This is not a feasible option when we have to bulk update the changes on user profiles.
Option 2 : Use the Google Cloud SAML-SSO
- Setup SAML-SSO with Google Cloud (different from Google Workspace)
- Move the affected user from the Google Workspace SSO authentication policy to the Google Cloud SAML-SSO authentication policy.
- Set Email API should now work.
- mentioned in
-
Page Loading...