-
Suggestion
-
Resolution: Fixed
-
319
-
Current functionality:
SAML SSO uses givenname and surname attributes to define the Full name for an Atlassian account.
User provisioning ( SCIM ) uses displayName attribute to define the Full name for an Atlassian account.
It's possible to have different values mapped by SCIM and by SAML and SCIM will update when syncing and SAML will update when users log in.
The suggestion:
Knowing that some IdPs don't support changing the givenname and surname it would be great if, when having SCIM, only the attribute send by SCIM is considered. Otherwise, customers may face unwanted Full name changes for their users due to both integrations values mismatch.
Workaround:
Option 1 : Remove the givenname and surname attributes of SAML from being sent by the IdP, with this the SCIM attribute will be the only one updating the value.
Note: this is only applicable for IdPs which allow modifying/removing the attributes.
OR
Map the givenname to the displayname and map surname to a dummy AD attribute that does not contain any real value.
Option 2 : In Okta, update the User's Profile so that their Nickname is sent as their givenName/surName
Option 3 : Alternatively, you can configure SAML in atlassian using a generic app in Okta in addition to the "Atlassian Cloud" app (for SCIM) by simply changing the SAML settings in Atlassian to point to the new generic app in Okta.
This trades-off the ability to have both a Jira and a Confluence button in Okta for the ability to disable the givenName/surName attributes in SAML. Please note that the email address for the nameId needs to use the same user property as the SCIM configuration used by the "Atlassian Cloud" app.
Option 4 : In Okta, we can force the Provisioning DisplayName attribute to use the "GivenName SurName" format, similar to what is used by the SAML-SSO for setting up the name.
- Set the provisioning displayName attribute to user.firstName+" "+user.lastName . Use "Force sync" to propagate the changes to Atlassian.
- is duplicated by
-
- Closed
- is related to
-
- Gathering Interest
- causes
-
ACE-5023 You do not have permission to view this issue
- is resolved by
-
ENT-728 Failed to load
- mentioned in
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- relates to
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[ACCESS-747] Prioritize SCIM Full Name attribute over SAML when both integrations are being used
Hi everyone,
Thanks for your interest and patience on this feature request.
Good news - next week, we will begin rolling out a change to prevent SAML from overriding a users' full name when the user is also synced via SCIM.
I will update this ticket once the rollout is complete (expected to take 1 week after starting).
Thanks,
Aneita
This issue caused us to inadvertently deadname some employees which triggered a DEI mess. Please fix this technical oversight!
Please implement this change in the OIN network to allow us to choose which Okta attributes to send to givenname and surname and corresponding documentation. It's something we've come to expect in Okta and other applications This is the 9th most voted ticket and it's an easy fix! The SCIM is pointless if SAML is overwriting.
The workarounds don't work for Okta because the integration does not allow us to modify the givenname and surname attributes.
We found an additional workaround which works for us: Simply don't provide the givenname and surname attributes via SAML SSO!
After removing these attributes from the SAML configuration + having a fresh SCIM record sync (performed by Atlassian support), the full names of managed accounts remain correct even after SAML SSO logins.
Dear all,
We have faced this issue too.
I've created a fifth workaround, publishing it to the Atlassian community, you cab find it here:
https://community.atlassian.com/t5/Atlassian-Access-discussions/Changing-order-of-the-names-in-Access/m-p/2441744#M317?utm_source=dm&utm_medium=unpaid-social&utm_campaign=P:online*O:community*I:social_share*
Have a nice day!
Peter
Hi everyone,
Just a quick update to let you know that this change has now been released. SAML will no longer override the full name attribute for a SCIM-synced user. If you experience any issues with this, please raise a new ticket so that we can investigate further.
Cheers,
Aneita