SSO for Trello is configured through an Atlassian organization using Atlassian Access. Atlassian Access enables visibility and security across all Atlassian accounts and products at your company. It gives admins a way to manage users and enforce security policies, such as SSO and multi-factor authentication. This guide will walk through each step required to enforce SSO for Trello using Atlassian Access.
You’ll need to be the admin in your Atlassian organization to complete all steps in this guide. SSO can be configured and enforced without Trello Enterprise. However, if you subscribe to Trello Enterprise, you’ll need to be an admin there to complete this guide.
If you’re not sure who the admin of your Atlassian organization is, check with your IT team or contact Trello Support.
Step 1: Create an Atlassian organization
If you already have an Atlassian organization, skip this step and continue to Step 2: Verify your domains.
To subscribe to Atlassian Access, you’ll first need an Atlassian organization. You can create one for free at https://admin.atlassian.com/o/create. If your company already has an Atlassian organization, it will be best to use the same one, as a domain can only be claimed by a single Atlassian organization.
Step 2: Verify your domains
If you’ve already verified all necessary domains in your Atlassian organization, you can skip this step and move on to Step 3: Claim your accounts.
Verify ownership of your domain by adding a TXT record to its DNS settings, or by uploading an HTML file to the root folder of your domain’s website. Once ownership is proven, you can manage all user accounts from that domain.
You can find step-by-step instructions on how to verify ownership of your domains here.
When migrating from Trello’s legacy SSO, all domains claimed in your Trello Enterprise must also be claimed in your Atlassian organization. This is only required if you’ve used Trello’s legacy SSO without Atlassian Access.
If you’re not sure which domains your Trello Enterprise has claimed, contact the Trello Support team for assistance.
Step 3: Claim accounts
Verifying ownership of a domain allows you to claim all Atlassian accounts registered with an email from that domain.
Claiming a user’s account will automatically add it to the default Authentication policy if you already have an Access subscription. Login requirements of that policy will be enforced the next time they log in. Users will not be logged out when they are claimed.
Atlassian Access billing note:
Claiming accounts from a domain will claim all accounts using any eligible Atlassian cloud product, even if they’re not using Trello. These users will be included in the bill for your Access subscription. If you subscribe to Trello Enterprise, those users will not impact your Trello Enterprise bill and will not be granted an Enterprise license.
Deactivated Trello Enterprise accounts:
Enterprise deactivation in Trello releases a user’s Trello Enterprise license and prevents access to Enterprise content, but it doesn't deactivate the Atlassian account or Trello profile entirely. To make those accounts non-billable in Atlassian Access they must be deactivated in the Atlassian Organization, or put in a non-billable authentication policy.
Step 4: Start an Atlassian Access trial
If you already have an Atlassian Access subscription, skip this step and continue to Step 5: Set up SSO.
Go to https://www.atlassian.com/software/access and click on the “Get started” button to begin a 30-day free trial of Atlassian Access. You won’t need to enter any credit card information to start the trial, but a credit card is required to continue after the 30-day trial period.
Step 5: Set up SSO
Detailed instructions for setting up SSO with Atlassian Access can be found here.
A note about user provisioning:
Trello's SCIM API is in the process of being retired. The best way to provision access to Trello is to provision an Atlassian Account for a user using the Atlassian SCIM API or integration with your identity provider, then invite them to the appropriate Trello Workspace from the Workspace's members tab, or through the Trello REST API.
Users provisioned to an Atlassian Org will not be granted a Trello Enterprise license automatically. A license can be granted by inviting that user to an Enterprise workspace within Trello.
Legacy Trello SSO
If the SSO configuration for Atlassian Access is using the same IdP (e.g., Okta, Azure, Idaptive, etc.) as your Trello Enterprise, you can configure that tenant with Atlassian Access to enable SSO for Trello. If you’re using a different IdP with Atlassian Access, you’ll need to add your Trello users to that IdP.
IDP-initiated login with Atlassian Access
The legacy Trello SSO apps do not work with Atlassian Access. Instead, the Atlassian Cloud App is used for all SAML SSO with Atlassian Access.
If the Atlassian Cloud app for your Identify Provider (IDP) does not offer an option for IDP-initiated login, you can assign a bookmark app in addition to the Atlassian Cloud app so users can navigate directly to Trello from your IDP dashboard. The URL to bookmark is: https://trello.com/ensureSession. This will automatically log a user into the Trello profile that’s linked with their Atlassian account.
In Okta, the https://trello.com/ensureSession URL is used as the Base URL for Trello in the Atlassian Cloud app configuration, but note that this URL does not accept SAML directly.
Step 6: Link your Enterprise to your organization
You will need to be an admin for both the Trello Enterprise and the Atlassian organization in order to link them.
Linking your Trello Enterprise with your Atlassian organization allows your Trello Enterprise to share the list of managed users from your Atlassian Org. This enables the following features:
Enterprise security features that require a user to be managed.
The ability to view free Trello users from your verified domains in the Free-managed accounts section of your Trello Enterprise admin dashboard.
Use of organization visible boards.
The most secure Enterprise data restrictions.
Legacy Trello SSO
Linking your Trello Enterprise with an Atlassian organization will also permanently bypass any legacy Trello SSO configuration from your Trello Enterprise. Once linked, all users will log in with their Atlassian accounts based on your Authentication policies in Atlassian Access. If you don’t use Access, or haven’t configured your Authentication policies, users will log in with email and password by default.
Each Trello Enterprise license includes the cost of Atlassian Access for that user. Trello users without a Trello Enterprise license will be billable in Atlassian Access.
How do I verify my Atlassian Access SSO is working?
Your Atlassian Access SAML configuration applies to users as soon as you claim users from that domain.
If you want to test SAML SSO with Atlassian Access first, the best option is to create a default Authentication policy in Atlassian Access that does not enforce SSO, claim users, then put a single test user in a second Authentication policy, and enable SSO in that policy.
For more troubleshooting on Access SAML login, please refer to Configure SAML single sign-on with an identity provider.
Why can't I find SSO Setup in the Enterprise admin dashboard anymore?
Once the enterprise license changes to the new version of Enterprise, the original SSO Setup tab under enterprise admin console will be removed. We won’t remove your actual SSO configuration within Trello until after the 30 day grace period described above, but it will be superseded during the linking process with Atlassian Access SSO. You can view your Atlassian organization's SSO configuration in admin.atlassian.com.
What will happen to my end users when I link my Enterprise to an Atlassian organization?
When an Enterprise and an Atlassian organization are linked, they’ll share the same set of managed members, based on the organization’s claimed domains. Any Trello user with an email address on the claimed domain will be a managed member of both the Enterprise and the organization. Managed members will not count toward your Enterprise license seats unless they are given an Enterprise license or added to an Enterprise Workspace.
Users are not logged out, but will be required to follow any authentication requirements from their Authentication policy on their next login.
Was this helpful?