Authentication policy settings for your organizations
Who can do this? |
Authentication policies give you the flexibility to configure multiple security levels for different user sets within your organization. Authentication policies also reduce risk by giving you the ability to test different configurations for subsets of users before rolling them out to your whole company.
The settings you can configure through authentication policies are:
Setting | Description | Available for Atlassian Cloud ✅ when setting requires Atlassian Guard Standard | Available for Atlassian Government Cloud |
|---|---|---|---|
Single sign-on through SAML or Google Workspace | Enforce members to log in to Atlassian apps with your identity provider. | ✅ | Only SAML, not Google Workspace |
Two-step verification | Require members to set up and use a second step when logging in.
| Included by default | Check your identity provider |
Make it optional to set up and use a second step when logging in. | Included by default | Not available | |
User API tokens | Control whether members create new or use existing API tokens to authenticate to your organization’s app data. | Included by default | Available |
User API token expiration | Choose when a user API token expires in your authentication policy. | ✅ | Not available |
Revoke user API tokens | Revoke user API tokens for members in an authentication policy. | Included by default | Not available |
Third-party login | Allow members to log in to Atlassian apps with third-party accounts. | Included by default | Not available |
Prevent members from logging in to Atlassian apps with third-party accounts. | Included by default | Not available | |
Password requirements | Choose minimum strength for user passwords. | Included by default | Check your identity provider |
Choose when a password expires. | Included by default | Check your identity provider | |
Idle session duration | Choose how long members can be idle before we log them out. | Included by default | Available |
Session expiration | Set a fixed time limit for user sessions, regardless of user activity. | ✅ | Available |
Mobile session expiration | Choose when a mobile app session expires for members of an authentication policy. | ✅ | Not available |
Single sign-on (SSO)
SSO allows your users to log in using your organization's identity provider to access all your Atlassian apps. Create one authentication policy to test an SSO configuration on a few accounts before turning it on for your whole organization.
Set up SSO for SAML or Google Workspace
When you select SAML SSO, you’re redirected from the authentication policy to the SAML SSO configuration page. How to configure SAML single sign-on.
When you select Google Workspace, you’re redirected from the authentication policy to the Google Workspace setup page. How to set up Google Workspace
Once you’re done configuring SAML SSO or Google Workspace SSO, you need to enable SSO in the policy.
To enable SSO:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > User security > Authentication policies.
Select Edit for the policy you want to enforce.
Select Enforce single sign-on.
Warning: What happens if you enforce SSO on users who are not in an identity provider? |
Two-step verification
Two-step verification adds a second login step. The second step keeps the user accounts secure even if the password is compromised. When account logins are secure, your organization's apps and resources are safer.
You can require members to set up and use a second step when logging in or make it optional.
If you enable SSO, you can only set up two-step verification in your identity provider and not your authentication policy. How to enforce two-step verification |
User API tokens
Users create API tokens to authenticate themselves into an organization and to run scripts. Members can access your organization's app data with Atlassian’s app APIs. User API token settings control whether members can make API calls with an API token to your organization's apps. Manage API tokens for your Atlassian account
By default, your organization's user API token settings are set to allow access. With the user API token setting, you can allow or block members from:
Creating a new API token
Using an existing API token
To block user API tokens:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > User security > Authentication policies.
Select Edit for the policy you want to block.
Select Block members from creating a new or using an existing API token.
Select Update.
Amount of time to update user API tokens
When you allow or block user API tokens, we apply the update the next time a member tries to make an API call with a token to run a script into your organization.
It can take up to 10 minutes to complete the update. If a member tries to access your apps with a user API token before we complete the update, they can still access the organization.
Time needed to update user API tokens
When you allow or block user API tokens, we apply the update the next time a member tries to make an API call with a token to run a script into your organization.
It can take up to 10 minutes to complete the update. If a member tries to access your apps with a user API token before we complete the update, they can still access the organization.
API token expiration
When a user creates an API token, we automatically set the token to expire in one year.
You can set the token to never expire or set a different expiration date in an authentication policy. You can set the token to expire between 1 to 365 days. The expiration date applies to members with API tokens in the authentication policy.
When members in the authentication policy try to access APIs with an expired API token, we let them know when the token expired.
To update the expiration of user API tokens:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > User security > Authentication policies.
Select the policy you’d like to Edit.
Select Never expires or Expires.
When you select expires, enter 1 to 365 days.
Expiration date applies to members with tokens in the authentication policy.
Third-party login
Control whether members can log in to your apps with third-party accounts such as Google, Microsoft, Apple and Slack accounts.
To control third-party login:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > User security > Authentication policies.
Select Edit for the relevant policy.
Under Settings, find Third‑party login and select either:
Allow third‑party login – Members can log in with Google, Microsoft, Apple, and Slack accounts.
Block third‑party login – Members can’t log in with those third‑party accounts.
If you enable SSO, you can only manage third-party logins in your identity provider and not in your authentication policy. |
Password requirements
You can choose the minimum strength that all passwords must comply with. By default, passwords do not expire. However, you can set an expiration period by defining the number of days for password expiration.
If you enable SSO, you can only set up password requirements in your identity provider and not your authentication policy. |
Idle session duration
Idle session duration is the amount of time a member stays logged in before we log them out, and they have to log back in. How to update idle session duration
Session expiration
You can set a fixed time limit for user sessions. When the time limit is reached, users are automatically signed out — even if they’re still active. Before the session ends, users see a banner that tells them how much time they have left and that they’ll need to sign in again. How to set session expiration
Mobile session expiration
You can choose when a mobile app session expires for members of an authentication policy. You’re able to update the number of days a session lasts. A session must be at least 7 days and at most 365 days.
To ensure uninterrupted access to a mobile app, we prompt users to re-authenticate before their session expires.
The mobile app session setting applies to these mobile apps:
Jira Cloud
Confluence Cloud
Opsgenie (Atlassian Accounts only)
How to set mobile app session expiration
Reset sessions
When you reset sessions for an authentication policy, we log out all members from the policy in about ten minutes. We recommend letting your members know when you reset their sessions.
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > User security > Authentication policies.
Select Edit for the policy you want to modify.
On the Settings or Members page, select Reset sessions.
You can also reset sessions for an external user policy. How to reset sessions for external users
Was this helpful?