Uploaded image for project: 'Atlassian Access'
  1. Atlassian Access
  2. ACCESS-1144

Improve SAML authentication to include domain forwarding scenarios

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Issue Summary

      An organization has 2 domains , a primary domain and a secondary domain. Their end intention is for Jira Service Desk portal customer users on their secondary domain to be forwarded to their primary domain email address and logged in successfully as a managed account.

      Environment

      Customer has claimed both the primary and secondary domains above and in this example uses Azure AD to control user management and access.

      Steps to Reproduce

      1. Customer claims primary domain A and secondary domain B
      2. For the scenario where user has the domain address of primary domain and is a normal Atlassian Account , the scenario below works for them. Example , usera@primarydomain.com and usera@secondarydomain.com
        1. User logs in as usera@secondarydomain.com at Jira or Confluence landing page or even id.atlassian.com
        2. User then gets forwarded to Azure AD portal and now inserts usera@primarydomain.com  and is able to log in further and use Jira and Confluence successfully 
        3. The Atlassian Account holds details only of primary domain email address usera@primarydomain.com
      3. For the scenario where a JSD customer portal user has both email address userb@primarydomain.com and userb@secondarydomain.com , the scenario below will occur and overall fail logging in user
        1. Customer lands at JSD customer portal page
        2. Customer logs in as userb@secondarydomain.com at JSD customer portal page eg https://<instance>.atlassian.net/servicedesk/customer/portals
        3. This user does not get forwarded to Azure AD page - this is expected , as customer email account userb@secondarydomain.com does not exist as a Atlassian Account and only exists as a customer portal account
        4. In normal scenarios , this account will have to be converted to Atlassian Account to allow SSO access
        5. However converting this account which is a secondary account into Atlassian account will still fail to access Azure AD in the way customer is planning to access with the primary domain , as the converted account will still have userb@secondarydomain.com email add instead of userb@primarydomain.com

      Expected Results

      Customer wants the landing page of the customer portal to behave exactly as the way the landing page of Jira/Confluence behaves. 

      Actual Results

      The landing page of Jira Service Desk and first level authentication of JSD customers behaves vastly different from Jira Core / Confluence landing pages. 

      Workaround

      Please ensure there is only 1 domain email address used across all products to login for each customer. This will work correctly.

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          Activity

            People

              kdight Kieren (Inactive)
              sveeriah Suba V (Inactive)
              Votes:
              14 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: