Can I activate SSO with these settings?

Hey @Robert DaSilva, thank you for your answer. I would do this with the portal-only-customer settings, but I have not set portal-only accounts in the Customer Access settings. Is that a bad thing? Does it still work? My customers have no licenses.

@Antonia I'm not sure I understand your concerns with your last comment.

I would encourage you to review the following documentation related to Portal Only customers in JSM: https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-for-portal-only-customers/

This feature is intended for individuals that will only ever access your Customer Portal to raise requests in your JSM Project.

To configure the feature, you will need to navigate to the Admin Hub (admin.atlassian.net), then to Products (or Apps, if it's been renamed in your instance already), then to the instance you want to configure.

Once here, find the Jira Service Management section, and then click the "Portal Only Customers" option. This is where you will be given the option to configure SSO for these users.

Hope that helps!

Robert

I would just want to know beforehand whether it works at all with the settings if “portal only customer” is not even selected. Please take a look at my settings, I haven't selected “portal-only account” for External, so I'm asking whether it works at all with the settings I have there.

@Antonia To be clear, you're referring to the "Allow portal-only accounts to be created for new customers accessing the help center" option, under "External", yes?

This setting is specifically for external users, allowing them to create Atlassian Accounts that are automatically granted the "Customer" permission in your instance, if they don't already have an account with that access.

This setting should not impact the ability to enable SSO for your internal users.

I'll reiterate, if you are aiming to enable single sign-on for accounts that are considered part of your company or organization, the proper way to accomplish this is to utilize Atlassian Guard and enable SSO for your entire site. 

Here is the guide for how to enable SSO via Atlassian Guard: https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/

The "Portal Only SSO" option is designed for customers that are not part of your organization.

@Robert DaSilva Yes, correct.
I was a bit confused by the settings. Because our internal customers only have access to the portal, so they would actually be portal-only customers, they don't have a license either.
So we have already set up SSO, but for our IT staff/admins, can I simply add our customers to the group? Is there a way to automatically add them to the group when a customer registers with us?

@Antonia If you already have SSO configured, and your internal customers are other employees of your organization, you should do the following:

1. Assign all "portal only customers" the Customer License for Jira Service Management. This is a free license and will not have any additional cost. This can be done through your connection to your Identity Provider, or via groups in the User Management section of the Admin hub.
2. Double check your project permissions and access settings to ensure that users of the group for which the Customer license is added (usually, but not always jira-servicemanagement-customers-ORGANIZATION_NAME_HERE) have access to the project itself, and is granted the JSM Customer Role.
3. Double check your Guard settings to ensure all users are added to an Authentication Policy that enables SSO.

Once this is done, your internal users should be prompted to SSO when they visit the portal.

Cheers,

Robert

@Robert DaSilva Okay, I think there's a bit more to it than that. I think I first have to create a new team and then put all the customers in there and then I can link our SSO group to the team.

@Robert DaSilva I just tried it with the teams, but my customers don't have rights to the team, so I can't add them at all. So I should create a new group and not a new team? And then set up SSO for the group?

@Antonia You need to ensure that the users you want to access the customer portal are granted the "Customer" license type for Jira Service Management in the Admin Hub. This is traditionally done via Group Membership, and as you indicated you have an Identity Provider configured, that would be the best place to start.

I recommend the following:

1. Create a group in your Identity Provider to hold all users you want to be given access to the Customer Portal, both new users and old users.
2. When the IDP sync occurs between Atlassian, find the new group you created in the Site Directory, and assign that group the Customer license type for Jira Service Management.

That should grant any user in that group the Customer permission.

Alternatively, you can simply assign that permission or license to a group that contains your entire company. If there is an "All users" group, you can assign the license there, and all users will have permission to view the Customer Portal.

Hi @Robert DaSilva, thank you very much for your reply.

I made it a bit easier as we already had such a group at our IDP. I have now added our customer to the group. We had already activated SSO for our IT specialists and then we simply added our customers to the group.

I spoke to a supporter once and he said that if our customers are now also in the group, they no longer have to register with a verification code. Unfortunately, they do have to register with a code, but I don't want that. Do you think that's normal? Or how should it behave?

Hi @Antonia , do you mean that your users are getting a secondary requirement to verify their identity through an emailed verification code every time they try and log into the system?

This could be related to the "One Time Passcode" settings configured for "External Users", as part of an external user security policy. Atlassian has a support article here: https://support.atlassian.com/security-and-access-policies/docs/available-external-user-security-settings/#One-time-passcode

If this is not what you are encountering, please let me know with more details the specific issue you're facing.

If I've been helpful, I would appreciate if you could accept my answer on this post.

Cheers

Robert

@Robert DaSilva Thank you very much for your help. Unfortunately, I don't know if the article will help me, because these are not external users. They are internal, so we are all in one company. And yes, I mean, when a customer (internal) clicks on the customer portal, he first has to enter his e-mail address there, and then he receives a verification code (I think one-time) by e-mail. And then they have to enter the code, I think it's six digits.

@Antonia Are you able to share a screenshot of the verification screen? That might help narrow down what settings need to be adjusted.

@Robert DaSilva 

@Antonia Is the email you entered one that you have set up with your single sign on identity provider? 

The 2FA code is configured either as part of the External User settings I shared before, or as part of your Atlassian Guard settings. Please review both sections to ensure things have been configured to your needs.

Guard Settings: https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/#Two-step-verification-for-end-users

External User Settings: https://support.atlassian.com/security-and-access-policies/docs/available-external-user-security-settings/#One-time-passcode

@Robert DaSilva 

yes, it is in both groups: in IDP and in Jira.

Guard Settings: (I've already been to the settings, and it tells me that I should make the settings in Intune, but I can't find any settings there.)

External User settings: We don't have any external users, but we have done the same for internal users. Our users are internal people

@Antonia Can you confirm the user you attempted to log in with is part of the "Members" tab in the Authentication Policy you just shared a screenshot of?

@Robert DaSilva yes, he is in there.

@Antonia And are you noticing the request for verification every time you log in, or is it only showing up the first time.

If the request only shows up the first time, it could be related to Atlassian Account verification, as part of the account creation process, and not something we can control.

If this happens every time, then the setting is likely configured in one of the places I have already identified, or is a new requirement for JSM projects that Atlassian hasn't given control over.

@Robert DaSilva 

its only the first time when i log in, I wonder if there is any way around this?

@Antonia @No, the code is used by Atlassian to verify you own the email address you used to sign in. I don’t know if any way to disable the first time verification. 

@Robert DaSilva I think I have to set my portal to open then,  I can't think of anything else.