Uploaded image for project: 'Atlassian Access'
  1. Atlassian Access
  2. ACCESS-609

Make it possible for Org Administrators to clear the Managed Accounts' SAML ID

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Atlassian status as of 24 June 2019

      We have deployed a solution that will automatically detect incorrectly linked SAML Ids and re-link them with the correct user accounts. This fix negates the need for this feature.

      Problem Definition

      There are some cases where an email is changed (i.e. a@a.com to b@a.com) , however, the SAML Id on Atlassian side is still related to that old Account so when the user tries to log in he receives an error saying that:

      login.forbidden.handle-linked-saml-users.update-linked-primary-user-email-failed-400.content
      

      or user is blocked

      Currently, the only way to resolve these issues is contact support to gather some details regarding the user such as:

      • The SAML Response from the user login attempt.
      • Check the old and new email address.
      • Check in what account the application historic is placed.
      • Check if that account has the correct email address and change it if it doesn't has.
      • Escalate the ticket to the dev team to clear the SAML link.

      Suggested Solutions

      Create a feature that allows the Organization Administrators to clear the SAML Id link from their managed accounts. That will reduce the number of escalations to the development team since the SAML link can be cleared by the Org Admins or the support team.

      Workaround

      1. Review the write up on the long term solution to avoid and resolve these issues in future at SAML login fails for a user whose email was changed
      2. If you're unable to resolve this, reach out to support via https://support.atlassian.com to further investigate the issue and the accounts related to it.
      3. While working with support, the following can be used as temporary workaround so that the affected user can generate a session to the cloud site and continue working.
        1. Go to https://id.atlassian.com/login/resetpassword and generate a recovery link for affected email address.
        2. Access the recovery email and click on Log in to my account
        3. In the browser tab that popped up, put in the URL of the cloud site https://<site>.atlassian.net

       

      Attachments

        Issue Links

          Activity

            People

              njayasankar@atlassian.com Narmada Jayasankar
              jnunes@atlassian.com João Nunes
              Votes:
              7 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: