Open issues

Order by Priority
  1. Suggestion
    ACCESS-1609Allow automatically redirected to SSO provider when logging into a site
  2. Suggestion
    ACCESS-1533Allow for org and site admin permissions to be assigned via groups (local or provisioned)
  3. Suggestion
    ACCESS-1834Automatically move users from local policy to IDP linked policy once they are provisioned
  4. Suggestion
    ACCESS-2394Improve Accuracy of Active Trello Users in Product Insights
  5. Suggestion
    ACCESS-800Ability to rename groups after they've synced to the organization from an identity provider.
  6. Suggestion
    ACCESS-1486Add option to Google Workspace sync settings to sync all groups
  7. Suggestion
    ACCESS-2392Expand BBC activities tracked in Atlassian Guard audit log
  8. Suggestion
    ACCESS-583Create usage report tools
  9. Suggestion
    ACCESS-2391Allow the ability to set up multiple directories for OSync
  10. Suggestion
    ACCESS-1846Ability to add IP Allowlist for JSM and Jira separately.
  11. Suggestion
    ACCESS-1532Ability to exclude JSM portal from IP allowlist
  12. Suggestion
    ACCESS-1566Google Workspace - Group assignment redesign
  13. Suggestion
    ACCESS-822Support more synced attributes for SCIM User Provisioning
  14. Suggestion
    ACCESS-979Allow managed account email addresses to be changed to a domain not verified at the organization
  15. Suggestion
    ACCESS-1009Ability to control site/organization access for accounts via user provisioning
  16. Suggestion
    ACCESS-1051SSO on the Atlassian cloud site level
  17. Suggestion
    ACCESS-1836Allow org admins to bypass SAML SSO authentication
  18. Suggestion
    ACCESS-905Provide a web UI to change the managed accounts' public name for organization admins
  19. Suggestion
    ACCESS-1002Enabling allow listing policies automatically blocks Atlassian's own IPs
  20. Suggestion
    ACCESS-1506Provide additional controls for SAML SSO login workflow
  21. Suggestion
    ACCESS-1523Allow Synced Groups to be Searched and/or Sorted
  22. Suggestion
    ACCESS-1559Ability to export groups from Atlassian Admin
  23. Suggestion
    ACCESS-1988Ability to allow admins to delete access requests
  24. Suggestion
    ACCESS-2390Enable additional attributes when SCIM syncing from Google IdPs
  25. Suggestion
    ACCESS-1782Ability to turn [Has access on site] toggle off by default
  26. Suggestion
    ACCESS-977Ability to exclude or remove a site from User Provisioning (SCIM)
  27. Suggestion
    ACCESS-668Allow organization admins to have full control over profile visibility settings
  28. Suggestion
    ACCESS-1737Re-sync a provisioned external account with the Provisioned data following email address change
  29. Suggestion
    ACCESS-1905Provide the ability to retroactively add Managed accounts to Authentication Policy when marked as default
  30. Suggestion
    ACCESS-1978Delete the synced user's Atlassian account once the user is deleted from the IDP
  31. Suggestion
    ACCESS-2364Separate Data Export and File Download Blocking into Different Security Policies
  32. Suggestion
    ACCESS-69Provide the ability to download SP SAML metadata and/or display it on an URL to be consumed.
  33. Suggestion
    ACCESS-598Add level of access for Organization administrators
  34. Suggestion
    ACCESS-1396Ability to check and re-sync unlinked external user SCIM records
  35. Suggestion
    ACCESS-1516Ability to Restrict Users Logging in from Personal Mobile Devices
  36. Suggestion
    ACCESS-1612Ability to selectively enable external user security for subset of external users
  37. Suggestion
    ACCESS-1952Allow Multiple External User Security Policies
  38. Suggestion
    ACCESS-1979Provide SSO authentication with Microsoft Azure Automatic Integration
  39. Suggestion
    ACCESS-2027External user security support for Loom
  40. Suggestion
    ACCESS-2198Email or in-product notification before SCIM API key expiry
  41. Suggestion
    ACCESS-2212Ability to have more granular control of the "data export block" for Jira and Confluence
  42. Suggestion
    ACCESS-2285Sync group membership from synced group to the default access group
  43. Suggestion
    ACCESS-2388Ability to add groups to authentication policies.
  44. Suggestion
    ACCESS-1148Improve the administration interface for User Provisioning
  45. Suggestion
    ACCESS-1315Include support ticket information for Atlassian Support IP Policy in Security > IP allowlisting
  46. Suggestion
    ACCESS-1831Ability to export/display Last Authenticated date to the User’s last active dates
  47. Suggestion
    ACCESS-1915Allow External users login via IDP Application Dashboards when enforced with External SAML SSO
  48. Suggestion
    ACCESS-2387Improvement in audit log for update of addon app.
  49. Suggestion
    ACCESS-1550Grant site admins the option to manage API tokens access for unmanaged users
  50. Suggestion
    ACCESS-2068Support Microsoft Primary Refresh Token for login
Refresh results
1 of 500
Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1609

Allow automatically redirected to SSO provider when logging into a site

    • 209
    • Hide

      Update December 16, 2024:

      We are happy to report that Remember Me has now launched on atlassian.com/login. You can find more details here: https://support.atlassian.com/atlassian-account/docs/log-in-to-your-atlassian-account/

      We understand that you are looking for additional solutions for a streamlined login experience. We are actively investigating additional opportunities. One of these opportunities is supporting Microsoft Primary Refresh Token for login. If you are interested in this solution, please provide your feedback here: https://jira.atlassian.com/browse/ACCESS-2068

      Thank you for your continued feedback,

      Holly

      Show
      Update December 16, 2024: We are happy to report that Remember Me has now launched on atlassian.com/login. You can find more details here: https://support.atlassian.com/atlassian-account/docs/log-in-to-your-atlassian-account/ We understand that you are looking for additional solutions for a streamlined login experience. We are actively investigating additional opportunities. One of these opportunities is supporting Microsoft Primary Refresh Token for login. If you are interested in this solution, please provide your feedback here: https://jira.atlassian.com/browse/ACCESS-2068 Thank you for your continued feedback, Holly

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      Currently, when an SAML SSO is enable for the instance , the user still need to key in their email in id.atlassian.com , then it will redirected to the SSO provider.

      Suggested Solution

      It will be best if there's option to go automatically to the login from the configured SSO provider.

      Why this is important

      It prevent user end to key in their email two times to login to Atlassian product.

      Workaround

      No workaround

          Form Name

            Bruno Abele added a comment -

            Hello 01d943550371, have you tried the "remember" check box on the login dialogue? If you did, you do not have to enter the email, you only have to press "next". 

            The Atlassian login for "fresh users" goes over 2 steps:

            • First the user is authorized against the SSO server defined by the company that owns the email address. The Atlassian account is used for multiple site URLs and you can check your profile without accessing any site. 
              Here, Atlassian needs to know the email address of the user. If user was logged in before, Atlassian can remember the email address.
            • In a second step, when users accesses the site URL, the ORG of the site can define if they want another check. There, you can use your own SSO server (in the "Externals" setting under Security in the admin gui). At that time user has already done the login of step 1.
              This means that if I have users with an email address not from my domain (e.g. some supplier), they have to do 2 SSOs: First in their own company, then in our SSO.

            This 2 steps come from the fact that Atlassian accounts are independent from any site. If you allow only users with email from your own claimed domains, step 1 and step 2 are combined.

            As special case, there could be a solution if you have not allowed such "external email addresses" on your site and you have SSO enabled for your claimed domains. 

            But most users complain that they have to "enter" their email address - if they just set the "remember" checkbox, it would be just a click. That solution is good enough for me, and it was rolled out some months ago.

             

            Bruno Abele added a comment - Hello 01d943550371 , have you tried the "remember" check box on the login dialogue? If you did, you do not have to enter the email, you only have to press "next".  The Atlassian login for "fresh users" goes over 2 steps: First the user is authorized against the SSO server defined by the company that owns the email address. The Atlassian account is used for multiple site URLs and you can check your profile without accessing any site.  Here, Atlassian needs to know the email address of the user. If user was logged in before, Atlassian can remember the email address. In a second step, when users accesses the site URL, the ORG of the site can define if they want another check. There, you can use your own SSO server (in the "Externals" setting under Security in the admin gui). At that time user has already done the login of step 1. This means that if I have users with an email address not from my domain (e.g. some supplier), they have to do 2 SSOs: First in their own company, then in our SSO. This 2 steps come from the fact that Atlassian accounts are independent from any site. If you allow only users with email from your own claimed domains, step 1 and step 2 are combined. As special case, there could be a solution if you have not allowed such "external email addresses" on your site and you have SSO enabled for your claimed domains.  But most users complain that they have to "enter" their email address - if they just set the "remember" checkbox, it would be just a click. That solution is good enough for me, and it was rolled out some months ago.  

            Erich added a comment -

            > Of course, Atlassian cannot know which SSO server is responsible for the user on a new session. User has to enter an email address at least once.

            I don't think that is true. If Atlassian knows which SSO to contact based on email address, there is no reason they can't configure the same SSO based on the URL domain. Why do I have to enter erich@stateuniv.edu when I've already attempted to go to https://stateuniv.atlassian.com? Could there be some clients that allow users from multiple SSO regimes to access their wiki material? I suppose. Those suckers will still have to enter their email address. If ALL of the restricted wiki pages in our wiki ONLY allow access if authorized by a single SSO entity, then we should not need to enter our email address (until we hit the IdP).

            I don't think there has been an improvement either. I still have to enter my email address with Atlassian every. single. time. They pass me to Microsoft where I have to enter my email address again, and finally I reach the IdP where I have to enter actual credentials. Every other provider seems to be able to pass me directly to our SSO page without much trouble, but apparently, it's too difficult for Atlassian to figure out.

            Erich added a comment - > Of course, Atlassian cannot know which SSO server is responsible for the user on a new session. User has to enter an email address at least once. I don't think that is true. If Atlassian knows which SSO to contact based on email address, there is no reason they can't configure the same SSO based on the URL domain. Why do I have to enter erich@stateuniv.edu when I've already attempted to go to https://stateuniv.atlassian.com? Could there be some clients that allow users from multiple SSO regimes to access their wiki material? I suppose. Those suckers will still have to enter their email address. If ALL of the restricted wiki pages in our wiki ONLY allow access if authorized by a single SSO entity, then we should not need to enter our email address (until we hit the IdP). I don't think there has been an improvement either. I still have to enter my email address with Atlassian every. single. time. They pass me to Microsoft where I have to enter my email address again, and finally I reach the IdP where I have to enter actual credentials. Every other provider seems to be able to pass me directly to our SSO page without much trouble, but apparently, it's too difficult for Atlassian to figure out.

            Bruno Abele added a comment -

            In the context of this ticket:

            • Of course, Atlassian cannot know which SSO server is responsible for the user on a new session. User has to enter an email address at least once.
            • After that, why does Atlassian not just prefill the login form with the email address of the last user (store it in a cookie, just like all other Atlassian cookies) and forget it only if the user presses "Logout" in the menu? 

            Atlassian has improved the situation (a bit) as the re-confirmation of accounts (aka "daily login") does now remember the email, and login needs only one click, at least if the user is already logged into their SSO provider. Same dialog could be used on "login", too.

            The timeout for login after inactivity can be configured in the IDP settings, btw., it does not need to be "daily". We keep it on daily (or shorter) as Atlassian does not handle web calls from SSO provider, when the user logs out there, or is logged out: https://jira.atlassian.com/browse/ACCESS-702. So we have to check often if the user is still logged in at our SSO, to ensure access to our Atlassian data is terminated.

             

            Bruno Abele added a comment - In the context of this ticket: Of course, Atlassian cannot know which SSO server is responsible for the user on a new session. User has to enter an email address at least once. After that, why does Atlassian not just prefill the login form with the email address of the last user (store it in a cookie, just like all other Atlassian cookies) and forget it only if the user presses "Logout" in the menu?  Atlassian has improved the situation (a bit) as the re-confirmation of accounts (aka "daily login") does now remember the email, and login needs only one click, at least if the user is already logged into their SSO provider. Same dialog could be used on "login", too. The timeout for login after inactivity can be configured in the IDP settings, btw., it does not need to be "daily". We keep it on daily (or shorter) as Atlassian does not handle web calls from SSO provider, when the user logs out there, or is logged out: https://jira.atlassian.com/browse/ACCESS-702 . So we have to check often if the user is still logged in at our SSO, to ensure access to our Atlassian data is terminated.  
            SET Analytics Bot made changes -
            Support reference count Original: 208 New: 209
            Emily Shem-Tov (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 1042608 ]
            Alexandre Botelho made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 1041327 ]
            SET Analytics Bot made changes -
            Support reference count Original: 207 New: 208
            SET Analytics Bot made changes -
            Support reference count Original: 206 New: 207
            Murakami [Atlassian Support] made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 1039621 ]
            SET Analytics Bot made changes -
            Support reference count Original: 205 New: 206

              d056dd6d7b90 Holly Makris (Inactive)
              nroslan Atiqah Roslan
              Votes:
              443 Vote for this issue
              Watchers:
              233 Start watching this issue

                Created:
                Updated: