Configure SSO for Trello with Atlassian Guard

SSO for Trello is configured through an Atlassian organization using Atlassian Guard Standard (formerly known as Atlassian Access), which enables visibility and security across all Atlassian accounts and products at your company. It gives admins a way to manage users and enforce security policies, such as single sign-on (SSO) and multi-factor authentication. This guide will walk through each step required to enforce SSO for Trello using Atlassian Guard Standard.

You’ll need to be the admin in your Atlassian organization to complete all steps in this guide. SSO can be configured and enforced without Trello Enterprise. However, if you subscribe to Trello Enterprise, you’ll need to be an admin to complete this guide.

If you’re not sure who the admin of your Atlassian organization is, check with your IT team or contact Trello Support.

Step 1: Create an Atlassian organization

  • If you already have an Atlassian organization, skip this step and continue to Step 2: Verify your domains.

To subscribe to Atlassian Guard Standard, you’ll first need an Atlassian organization. You can create one for free at https://admin.atlassian.com/o/create. If your company already has an Atlassian organization, it will be best to use the same one, as a domain can only be verified by a single Atlassian organization.

Step 2: Verify your domains

  • If you’ve already verified all necessary domains in your Atlassian organization, you can skip this step and move on to Step 3: Claim your accounts.

Verify ownership of your domain by adding a TXT record to its DNS settings, or by uploading an HTML file to the root folder of your domain’s website. Once ownership is proven, you can manage all user accounts from that domain. Learn more about how to verify ownership of your domains here

Step 3: Claim accounts

Verifying ownership of a domain allows you to claim all Atlassian accounts registered with an email from that domain.

Claiming a user’s account will automatically add it to the default Authentication policy if you already have a Guard subscription. Login requirements of that policy will be enforced the next time they log in. Users will not be logged out when they are claimed.

Claiming a domain claims all Atlassian accounts

Claiming a domain will claim all accounts using an Atlassian cloud product, even if they’re not using Trello. If you subscribe to Trello Enterprise, those users will not affect your Trello Enterprise bill and will not be granted an Enterprise license automatically.

Step 4: Start a trial

  • If you already have an Atlassian Guard Standard subscription, skip this step and continue to Step 5: Set up SSO.

Go to https://www.atlassian.com/software/access and click on the “Get started” button to begin a 30-day free trial of Atlassian Guard Standard. You won’t need to enter any credit card information to start the trial, but a credit card is required to continue after the 30-day trial period.

Step 5: Set up SSO

SSO for Trello Enterprise is configured through an Atlassian Organization using Atlassian Guard Standard. How to configure SAML single sign-on

Provisioning Trello profiles automatically

Trello's SCIM API is in the process of being retired. The best way to provision access to Trello is to provision an Atlassian Account for a user using the Atlassian SCIM API or integration with your identity provider, then invite them to the appropriate Trello Workspace from the Workspace's members tab, or through the Trello REST API.

Users provisioned to an Atlassian Org will not be granted a Trello Enterprise license automatically. A license can be granted by inviting that user to an Enterprise workspace within Trello.

IDP-initiated login with Atlassian Guard Standard

The legacy Trello SSO apps do not work with Atlassian Guard Standard. Instead, the Atlassian Cloud App is used for all SAML SSO with Atlassian Guard Standard

If the Atlassian Cloud app for your Identify Provider (IDP) does not offer an option for IDP-initiated login, you can assign a bookmark app in addition to the Atlassian Cloud app so users can navigate directly to Trello from your IDP dashboard. The URL to bookmark is: https://trello.com/ensureSession. This will automatically log a user into the Trello profile that’s linked with their Atlassian account.

In Okta, the https://trello.com/ensureSession URL is used as the Base URL for Trello in the Atlassian Cloud app configuration, but note that this URL does not accept SAML directly.

You will need to be an admin for both the Trello Enterprise and the Atlassian organization in order to link them.

  • See the “Enterprise admin privileges and deactivation” section of this article to add a new Trello Enterprise admin.

  • See the “Make a user an organization admin” section of this article to add a new Atlassian organization admin.

If you have a Trello Enterprise subscription, you can link your Trello Enterprise with your Atlassian organization. This allows your Trello Enterprise to share the list of managed users from your Atlassian Org. This enables the following features:

  1. Enterprise security features that require a user to be managed.

  2. The ability to view Free-managed accounts in your Trello Enterprise admin dashboard.

  3. The ability to claim non-Enterprise Workspaces.

  4. Use of organization-visible boards.

  5. The most secure Enterprise data restrictions.

Each Trello Enterprise license includes the cost of Atlassian Guard Standard for that user. Trello users without a Trello Enterprise license will be billable in Atlassian Guard.

FAQ

How do I verify single sign-on is working?

Your SAML configuration applies to users as soon as you claim users from that domain.

If you want to test SAML SSO with Atlassian Guard Standard first, the best option is to create a default Authentication policy that does not enforce SSO, claim users, then put a single test user in a second Authentication policy, and enable SSO in that policy.

For more troubleshooting with Atlassian Guard SAML login, please refer to Configure SAML single sign-on with an identity provider.

Why can't I find SSO Setup in the Enterprise admin dashboard anymore?

Once the enterprise license changes to the new version of Enterprise, the original SSO Setup tab under enterprise admin console will be removed. We won’t remove your actual SSO configuration within Trello until after the 30 day grace period described above, but it will be superseded during the linking process with Atlassian Guard Standard SSO. You can view your Atlassian organization's SSO configuration in admin.atlassian.com.

When an Enterprise and an Atlassian organization are linked, they’ll share the same set of managed members, based on the organization’s claimed domains. Any Trello user with an email address on the claimed domain will be a managed member of both the Enterprise and the organization. Managed members will not count toward your Enterprise license seats unless they are given an Enterprise license or added to an Enterprise Workspace.

Users are not logged out, but will be required to follow any authentication requirements from their Authentication policy on their next login.

 

Still need help?

The Atlassian Community is here for you.