Users not re-directed to SSO login for authentication with Okta

Summary

Users are not redirected to SAML SSO authentication and Atlassian Access features like SAML SSO authentication / User provisioning not working.

Environment

This KB applies to organizations that had Atlassian Access configured and integrated SAML Single Sign-On / User provisioning with Okta. 

Diagnosis

Atlassian Access features like SAML SSO authentication and User provisioning not working due to Atlassian Access subscription deletion. This can be confirmedby logging in to admin.atlassian.comand choosing your organization, then going to Billing. If you had an Atlassian Access subscription and is not listed under billing now it means the subscription has been deleted.

Cause

Deletion of Atlassian Access subscription. The subscription may be deleted due to non-payment or if payment methods are not updated. Atlassian sends email notifications to billing contact before the Atlassian Access subscription is deleted.

Solution

Activate a free trial of the Atlassian Access subscription by logging in at admin.atlassian.comand choosing your organization. Once the trial subscription is activated, enable back SAML SSO and user provisioning features.

Enable SAML SSO

1. The configuration for SAML SSO is not deleted on the Atlassian Access subscription deletion. At your Atlassian organization navigate to Security > SAML single sign-on and confirm the configuration for SAML is intact.

2. Navigate to Security > Authentication policies > Select the policy that had SSO enabled > Edit > Check "Enforce Single sign-on" > Update

3. This will enable back SAML SSO for your organization.

Reconfigure User provisioning

1. The directory for user provisioning gets deleted with the deletion of the Atlassian Access subscription. So, create a new directory by navigating to Directory > User provisioning > Create Directory at your Atlassian organization.

2. Copy and save the directory URL and the API token created at step 1 

3. Navigate to the Atlassian Cloud application at Okta. Remove/unlink all Pushed Groups with the option of "Leave the group in the target app"

4. Un-assign all Users/Groups from the "Atlassian Cloud" App in Okta (This will prevent users from being able to login to Atlassian).

5. Update the Okta Provisioning > Integration settings with the New Atlassian User Provisioning API Token and URL created at step1.

6. Re-add the Push Groups under the Atlassian Cloud application

7. Re-assign Users/Groups to the "Atlassian Cloud" application.

Once Okta has been 'reset' and it begins pushing Groups into the New User Provisioning Directory, you may need to Resolve Group Conflicts so that the Groups in the Cloud Site are relinked with Okta.

Update Atlassian Access billing details to avoid subscription deletion in future

1. Go to Billing >Atlassian Access> Billing details.

2. Click Update billing details to add a credit card, billing address, and billing contact details.

3. Confirm your billing address and click Next.

4. Choose your preferred payment method and click Next.

5. Accept the terms and conditions and click Subscribe.

You'll be redirected back to the Billing details page once your subscription for Atlassian Access has been processed successfully. 

If you are paying for existing Atlassian cloud products and services, you still need to add your billing details for Atlassian Access in the billing section of your organization.

If your organization account is under external partner management, reach out to your partner to get the Atlassian Access billing details updated.