SSO for Trello is configured through an Atlassian organization using Atlassian Access. Atlassian Access enables visibility and security across all Atlassian accounts and products at your company. It gives admins a way to manage users and enforce security policies, such as SSO and multi-factor authentication. This guide will walk through each step required to enforce SSO for Trello using Atlassian Access.
You’ll need to be the admin in your Atlassian organization to complete all steps in this guide. SSO can be configured and enforced without Trello Enterprise. However, if you subscribe to Trello Enterprise, you’ll need to be an admin to complete this guide.
If you’re not sure who the admin of your Atlassian organization is, check with your IT team or contact Trello Support.
Step 1: Create an Atlassian organization
If you already have an Atlassian organization, skip this step and continue to Step 2: Verify your domains.
To subscribe to Atlassian Access, you’ll first need an Atlassian organization. You can create one for free at https://admin.atlassian.com/o/create. If your company already has an Atlassian organization, it will be best to use the same one, as a domain can only be verified by a single Atlassian organization.
Step 2: Verify your domains
If you’ve already verified all necessary domains in your Atlassian organization, you can skip this step and move on to Step 3: Claim your accounts.
Verify ownership of your domain by adding a TXT record to its DNS settings, or by uploading an HTML file to the root folder of your domain’s website. Once ownership is proven, you can manage all user accounts from that domain. Learn more about how to verify ownership of your domains here
Step 3: Claim accounts
Verifying ownership of a domain allows you to claim all Atlassian accounts registered with an email from that domain.
Claiming a user’s account will automatically add it to the default Authentication policy if you already have an Access subscription. Login requirements of that policy will be enforced the next time they log in. Users will not be logged out when they are claimed.
Claiming a domain claims all Atlassian accounts
Claiming a domain will claim all accounts using an Atlassian cloud product, even if they’re not using Trello. If you subscribe to Trello Enterprise, those users will not affect your Trello Enterprise bill and will not be granted an Enterprise license automatically.
Step 4: Start an Atlassian Access trial
If you already have an Atlassian Access subscription, skip this step and continue to Step 5: Set up SSO.
Go to https://www.atlassian.com/software/access and click on the “Get started” button to begin a 30-day free trial of Atlassian Access. You won’t need to enter any credit card information to start the trial, but a credit card is required to continue after the 30-day trial period.
Step 5: Set up SSO
SSO for Trello Enterprise is configured through an Atlassian Organization using Atlassian Access. Learn more about configuring SSO with Atlassian Access here
Provisioning Trello profiles automatically
Trello's SCIM API is in the process of being retired. The best way to provision access to Trello is to provision an Atlassian Account for a user using the Atlassian SCIM API or integration with your identity provider, then invite them to the appropriate Trello Workspace from the Workspace's members tab, or through the Trello REST API.
Users provisioned to an Atlassian Org will not be granted a Trello Enterprise license automatically. A license can be granted by inviting that user to an Enterprise workspace within Trello.
IDP-initiated login with Atlassian Access
The legacy Trello SSO apps do not work with Atlassian Access. Instead, the Atlassian Cloud App is used for all SAML SSO with Atlassian Access.
If the Atlassian Cloud app for your Identify Provider (IDP) does not offer an option for IDP-initiated login, you can assign a bookmark app in addition to the Atlassian Cloud app so users can navigate directly to Trello from your IDP dashboard. The URL to bookmark is: https://trello.com/ensureSession. This will automatically log a user into the Trello profile that’s linked with their Atlassian account.
In Okta, the https://trello.com/ensureSession URL is used as the Base URL for Trello in the Atlassian Cloud app configuration, but note that this URL does not accept SAML directly.
Step 6: Link your Enterprise to your organization
You will need to be an admin for both the Trello Enterprise and the Atlassian organization in order to link them.
Linking your Trello Enterprise with your Atlassian organization allows your Trello Enterprise to share the list of managed users from your Atlassian Org. This enables the following features:
Enterprise security features that require a user to be managed.
The ability to view Free-managed accounts in your Trello Enterprise admin dashboard.
The ability to claim non-Enterprise Workspaces.
Use of organization-visible boards.
The most secure Enterprise data restrictions.
Each Trello Enterprise license includes the cost of Atlassian Access for that user. Trello users without a Trello Enterprise license will be billable in Atlassian Access.
How do I verify my Atlassian Access SSO is working?
Your Atlassian Access SAML configuration applies to users as soon as you claim users from that domain.
If you want to test SAML SSO with Atlassian Access first, the best option is to create a default Authentication policy in Atlassian Access that does not enforce SSO, claim users, then put a single test user in a second Authentication policy, and enable SSO in that policy.
For more troubleshooting on Access SAML login, please refer to Configure SAML single sign-on with an identity provider.
Why can't I find SSO Setup in the Enterprise admin dashboard anymore?
Once the enterprise license changes to the new version of Enterprise, the original SSO Setup tab under enterprise admin console will be removed. We won’t remove your actual SSO configuration within Trello until after the 30 day grace period described above, but it will be superseded during the linking process with Atlassian Access SSO. You can view your Atlassian organization's SSO configuration in admin.atlassian.com.
What will happen to my end users when I link my Enterprise to an Atlassian organization?
When an Enterprise and an Atlassian organization are linked, they’ll share the same set of managed members, based on the organization’s claimed domains. Any Trello user with an email address on the claimed domain will be a managed member of both the Enterprise and the organization. Managed members will not count toward your Enterprise license seats unless they are given an Enterprise license or added to an Enterprise Workspace.
Users are not logged out, but will be required to follow any authentication requirements from their Authentication policy on their next login.
Was this helpful?