Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-728

Users can't login using SSO after having their previous account updated to an unmanaged domain.

XMLWordPrintable

      Issue Summary

      When updating a managed account that has been linked through SSO to an unmanaged domain any new accounts created for that old managed email won't be able to use SSO.

      As the SAML integration will look for the user UPN or other unique immutable identifier sent from the IdP it will still find that SAML link attached to the now unmanaged account and thus the login will fail.

      Steps to Reproduce

      1. Update a managed account that has already logged in through SAML to an unmanaged domain. E.g a@managed.com > a@unmanaged.com
      2. Create a new account with the managed email that was in use(a@managed.com) or update an existing account to that address.
      3. Trigger a new login with SSO to that account.

      Expected Results

      When the Org admin updates the original account email to an unmanaged email the SAML link should be cleared and the login should work.

      Actual Results

      The link remains associated with the now unmanaged account and the user will receive the following error when trying to log in:

      https://id.atlassian.com/login/callback?error=access_denied&error_description=verify-saml-domains:invalid-email-domain-for-primary-user&state=xxxxxx3f0818497a384f24cb5c1d44440bc81at

      Workaround

      It's possible to work around this bug in three manners:

      • Change the email of the original(now unmanaged) account back to one of your verified domains. This will make the account managed again and a new login to the new account should re-do the linking into the new account holding a@managed.com automatically.
        This is the preferable approach as it should cause less disruption to the Org users
      • Verify the unmanaged domain that the account was updated to. Similar to the first approach this will make the account holding the link managed and our system will be able to re-do the linking on a new login. Note that by verifying the new domain all users from this domain will start using your SSO configuration and will be notified.
      • Re-do the SAML integration. This will make all new logins create a new SAML link, thus the affected users will have a new link created to their correct account and will be able to log in.

      If none of those approaches are feasible for your use case please contact support.

            [ACCESS-728] Users can't login using SSO after having their previous account updated to an unmanaged domain.

            Kat N added a comment -

            Hi everyone,
            Thanks for watching and following this ticket. Since this bug hasn't been reported by any customers over the past year, we are closing it as "Timed Out". If your team is still impacted by this issue, please leave a comment for us to re-evaluate and reopen.

            Kat N added a comment - Hi everyone, Thanks for watching and following this ticket. Since this bug hasn't been reported by any customers over the past year, we are closing it as "Timed Out". If your team is still impacted by this issue, please leave a comment for us to re-evaluate and reopen.

              njayasankar@atlassian.com Narmada Jayasankar
              akasper André K. (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: