Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-2172

When a domain is in the VERIFIED_UNCLAIMED status, the provisioning service considers the accounts as external users (unverified domain)

XMLWordPrintable

      Issue Summary

      When verifying a domain, it goes through 3 statuses: 

      • UNVERIFIED -> VERIFIED_UNCLAIMED  -> VERIFIED

      The VERIFIED_UNCLAIMED indicates that the domain verification was already done successfully, but no accounts from that domain have been claimed yet.

      When syncing users from an Identity Provider, the provisioning service will consider the users from that domain as external users (from unverified domains). 

      This is particularly problematic when trying to update users' email addresses. Leading to orphaned SCIM records (lost of access) and duplicated accounts. 

      Steps to Reproduce

      1. Verify domain A and claim the accounts.  
      2. Verify domain B and don't claim any accounts. 
      3. Sync a user from domain A with email user@domainA.com
      4. Change the user's email address on the Identity Provider side: user@domainB.com

      Expected Results

      The original account's email should be updated. 

      Actual Results

      1. The original account will be unlinked from the SCIM record, possibly blocking the users from accessing products (via synced groups). 
      2. The SCIM record will now contain the new email address, but without any link to the new (duplicate) account.
      3. IF the user tries to authenticate with the new email address, a duplicate account will be created. 
      4. If a sync happens and triggers an update to that specific SCIM record (like adding that user to a group or modifying any attributes), the SCIM record will be linked to the new (duplicate) account.

      Workaround

      The workaround consists of making sure that at least 1 user is claimed, which will move the domain to the VERIFIED status. 

      If the issue already happened and a duplicate account was created: 

      Option 1:

      1. Delete the SCIM record using the endpoint Delete user in SCIM DB
      2. Modify the duplicate account's email to something else. For example, free_user@domainB.com
      3. Modify the original account's email to the email released in step 2. 
      4. Resync from the Identity Provider to recreate the record. Depending on the Identity Provider, a full restart of the provisioning service might be required. 

      Option 2:

       Contact Atlassian Support so the support team for assistance. 

              Unassigned Unassigned
              bd4a89fcb3fe Renan Andrade
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated: