Summary

Users are not redirected to an identity provider (IdP) for SSO via SAML authentication flow and Atlassian Guard features like enforced SSO/User provisioning not working due to an inactive Guard subscription.

Environment

This KB applies to organizations that had Atlassian Guard configured and integrated SAML Single Sign-On / User provisioning. 

Diagnosis

Features like enforced SSO and user provisioning may stop working if your Atlassian Guard subscription is deleted. Log in to admin.atlassian.com, select your organization and going to Billing to confirm. If you had an Atlassian Guard subscription and the subscription is no longer listed under Billing - this indicates that the subscription has been deleted/deactivated.

If there is a Guard subscription listed, then the issue would likely be that the end user's Atlassian account does not have enforced SSO enabled. In other words, SAML is configured but not yet enabled for the relevant end users. Please see:

• Authentication policy settings for your organizations
• Add members to your authentication policies

Ensure that the end user(s) is added to an authentication policy where enforced SSO is enabled

Cause

Deletion of Atlassian Guard subscription. The subscription may be deleted due to non-payment or if payment methods are not updated. Atlassian sends email notifications to billing contact before the Atlassian Guard subscription is deleted.

Solution

If there is no active Atlassian Guard subscription, please Contact billing support team for assistance with reactivating your Guard subscription.

If the Guard subscription has been inactive for less than 14 days, then the enforced SSO(SAML) configuration, user provisioning configuration and authentication policies are retained and do not need to be reconfigured upon reactivating the Guard subscription. If this is the case, skip to the Update Atlassian Guard billing details to avoid subscription deletion in the future section.

If your Guard subscription has been inactive for over 14 days, you will need to recreate your SAML configuration and user provisioning settings.

Please see Resolve Atlassian Guard payment issue for more information.

Reconfigure User provisioning

1. Review the relevant documentation: Understand user provisioning
2. Ensure that there isn't a provisioning directory configured. On the appropriate Atlassian organization - https://admin.atlassian.com, navigate to Security > Identity providers > [select the appropriate identity provider directory] 
   • If there is an option to "Set up provisioning", continue with this guide
   • If there is an option to "View troubleshooting log", then skip this section and continue to the Reconfigure enforced SSO(SAML) section below
3. In the IdP, un-assign all users and groups to the Atlassian Cloud IdP app. This step helps prevent sync errors later on. If possible, create a new instance of the Atlassian Cloud IdP app, but un-assigning all users and groups from the existing Atlassian Cloud IdP app is expected to be sufficient
4. Create a new provisioning directory by navigating to Security > Identity providers > [select the appropriate identity provider directory] > "Set up provisioning" on the appropriate Atlassian organization. The provisioning directory creation flow will present a directory URL and an API token - copy these values
5. Update the directory URL and API token on the Atlassian Cloud app in the IdP. Most IdPs will have a "Test connection" option to verify that the directory URL and API token combination is valid
6. Once the test connection is successful, Save your configuration. If it fails, check or regenerate a new directory URL and API token pair by following these instructions: https://developer.atlassian.com/cloud/admin/user-provisioning/rest/intro/#auth
7. In the IdP, re-assign all users and groups to the Atlassian Cloud IdP app. If a new Atlassian Cloud IdP app was created, then simply assign the relevant users and groups to the newly created Atlassian Cloud IdP app
8. Once the provisioning of groups is completed, the Atlassian org. UI may a display a group name conflict warning message. The provisioning process attempts to sync groups that already exist on the Cloud sites. If so, please see Resolve Group Conflicts for instructions on how to resolve the group name conflicts

Reconfigure enforced SSO(SAML)

1. Go to the appropriate Atlassian organization - https://admin.atlassian.com
2. Go to Security > Identity providers > [select the appropriate identity provider directory] > View SAML configuration
3. Reconfigure the SAML configuration: Configure SAML single sign-on with an identity provider
4. Go to Security > Authentication policies
5. Recreate the authentication policies as required. Documentation: Configure authentication policies for your organization
6. Enable "Enforced SSO" on at least 1 authentication policy and ensure that the relevant users have been added to the policy(ies)
7. Test enforced SSO(SAML) login 

Update Atlassian Guard billing details to avoid subscription deletion in the future

1. Go to the appropriate Atlassian organization - https://admin.atlassian.com 
2. Go to Billing > "Atlassian Guard" > Manage
3. Select Billing details to add a payment method, billing address, and billing contact details
4. Follow the prompts and confirm changes

If your organization account is under external partner management, reach out to your partner to get the Atlassian Guard billing details updated.