| If your organization at admin.atlassian.com is new and you subscribe to Access after early October 2020, the content on this page applies to you. |
Available authentication policy settings for your organizations
With authentication policies, you configure settings for different sets of users. These sets of users come from your managed accounts. When you test settings on a small set of users, you reduce the risk of rolling out an error to your entire organization.
You need a subscription with Atlassian Access to create more than one authentication policy and to apply single sign-on (SSO) and two-step verification to an authentication policy. The settings that can be configured through authentication policies are:
Setting | Description | Requires Access |
|---|---|---|
SSO through SAML or G Suite | Enforce members to log in to Atlassian products with your identity provider. |
|
Two-step verification | Make it optional to set up and use a second step when logging in. |
|
Require members to set up and use a second step when logging in. | ||
Password requirements | Choose minimum strength for user passwords. | |
Choose when a password expires. | ||
Idle session duration | Decide how long members can be inactive before logging them out. |
Add settings to your authentication policies
Single sign-on (SSO)
SSO allows your users to log in using your organization's identity provider to access all your Atlassian cloud products. Create one authentication policy to test an SSO configuration on a few accounts before turning it on for your whole organization.
Set up SSO for SAML or G Suite
When you select SAML SSO, you’re redirected from the authentication policy to the SAML SSO configuration page. Learn how to configure SAML SSO.
When you select G Suite, you’re redirected from the authentication policy to the G Suite setup page. Learn how to set up G Suite SSO.
Once you’re done configuring SAML SSO or G Suite SSO, you need to enforce SSO in the policy.
To enforce SSO:
Navigate to Authentication Policies at admin.atlassian.com.
Select Edit for the policy you want to enforce.
Select Enforce single sign-on.
Why are non-G Suite members unable to log in?
If you use a non-G Suite domain, members from that domain can’t log in.
Here's why this can happen.
When you enforce G Suite single sign-on for a default policy, non-G Suite members can’t log in.
This is how you can help these members to log in.
Create another policy for non-G Suite members so they can log in.
Enforce two-step verification
Two-step verification adds a second login step. The second step keeps the user accounts secure even if the password is compromised. When account logins are secure, your organization's products and resources are safer.
You can require members to set up and use a second step when logging in or make it optional.
If you enforce SSO, you can only set up two-step verification in your identity provider and not in your authentication policy. Learn more.
Password requirements
You can choose the minimum strength that all passwords must comply with. By default, passwords do not expire. However, you can set an expiration period by defining the number of days for password expiration.
If you enforce SSO, you can only set up password requirements in your identity provider and not in your authentication policy. Learn more.
Idle session duration
Idle session duration is the amount of time a member stays logged in before we log them out and they have to log back in. Learn more.
Add members to your authentication policies
Members come from your managed accounts, and you add them to different policies. Enter members individually or in bulk to an individual authentication policy.
To enter members individually:
Navigate to Security > Authentication Policies at admin.atlassian.com.
Select Edit.
Select Members tab > Add members.
Enter a user name or email address (only up to 20 users).
Select Add.
To enter members in bulk:
Navigate to Security > Authentication Policies at admin.atlassian.com.
Select Edit.
Select Members tab > Add members.
Select Bulk entry > Select Upload to add CSV file (only up to 1000 emails from your managed accounts are allowed).
Select Add.
We’ll notify you with an email when your bulk member update is complete. You can view your audit logs to check which members were added or could not be added. Learn more about audit logs.
Change policy for member
Some members may need different security settings and will need to be moved from one policy to another policy.
To change member’s policy:
Navigate to Security > Authentication Policies at admin.atlassian.com.
Select Edit in the member’s policy you want to change.
Select Members tab > Change member’s policy.
Choose a different policy for this member.
We'll add the member to the new policy and apply the change next time the member logs in.