Support SAML for Bitbucket Cloud

Issue #14383 resolved
Theodora Boudale staff created an issue

This has been asked and answered in Community Support over here:

I am opening a ticket here for tracking purposes.

Official response

Comments (32)

  1. Sam Bott

    We are currently trialling cloud-hosted git services. The lack of SAML will probably lead us to choose GitHub which is a shame as there is plenty going for BitBucket.

  2. Ashish Agrawal

    A regular status update will help! Some of our customers are awaiting this feature to enable SSO from Okta and other AM products.

  3. Joseph Silva

    I have moved my 50 devs to github because they support SAML. Please add SAML support, would prefer to use bitbucket.

  4. Jamil Khan

    +50: The number of developers we're hoping to move over to Bitbucket.

    Are there any updates on the progress of this ticket, and/or an ETA?

  5. Yoav Zuri

    Bitbucket is the last service I use without any form of SSO. Not for long.
    Please handle this soon, as you can see it's important for many of your larger customers.

  6. Alastair Wilkes staff

    Hi there,

    Thanks to everyone for your interest in this issue. I'd like to provide a status update regarding SAML and Bitbucket.

    First, I need to define some terms:

    • Atlassian account - a user account (email address and password) used to log into all Atlassian products
    • Organization - a collection of Atlassian accounts whose emails are from a domain (e.g. @acme.com) you've established ownership of (or "claimed") at admin.atlassian.com
    • Bitbucket account - a user's Bitbucket account (e.g. bitbucket.org/username); users log in to their Bitbucket accounts using their Atlassian account credentials

    With that in mind, we just released Atlassian Access. Atlassian Access lets you create an organization, claim your email domain, and then enable SAML (among other features) for all the Atlassian accounts in that domain, all for a low monthly price.

    Once that's set up, your users can log in to their Bitbucket accounts using SAML via the Log in with Atlassian Access/SAML link on the Bitbucket login form. That link redirects to the Atlassian account login form, which redirects to your SAML provider. After authenticating there, the user will be sent back to Bitbucket, logged in.

    At this time, you need to be a Jira, Confluence, or Stride customer to sign up for Atlassian Access - Atlassian Access signup is not yet available for customers that only use Bitbucket. This means that if you’re a Bitbucket customer and a Jira, Confluence, or Stride customer, you can create an organization, claim your domain, and enable SAML via Atlassian Access.

    We hope to bring the ability to sign up for Atlassian Access to Bitbucket-only customers soon. So while it is now possible to use SAML to log in to Bitbucket, I'm going to leave this ticket open until it's available to Bitbucket-only customers.

    Thanks,
    Alastair
    Bitbucket PM

  7. Isaac Chua

    Hi Alastair,

    Thanks for this. I would like to further understand the approach Atlassian is taking towards linking up Bitbucket accounts to Atlassian accounts and organisations. (This is a rather "technical" topic I can't seem to find more info about.)

    Using an illustration:

    • John Doe has his personal Bitbucket account with username johndoe which is linked to his Atlassian account under johndoe@gmail.com.
    • He works for Acme Corp, an organisation that owns @acme.com and has Atlassian Access with the domain claimed. His work Atlassian account and email address is john.doe@acme.com.
    • Acme Corp has its own Bitbucket Cloud team, whereupon they grant repository access permissions to their employees' Bitbucket usernames, directly to the specific repositories or through User Groups.
    • Acme Corp has implemented Azure Active Directory (or can be any other identity provider in the generic case) which they use to manage access control throughout the entire organisation.
    • Acme Corp has a legitimate problem with managing repository access, especially with (a) new or leaving developers, and (b) developers switching among teams, and they hope that this could be solved with Atlassian Access.
    • John Doe would not like to create a specific Bitbucket account, such as johndoe_acme, just to link to his work Atlassian account for access. After all, this Bitbucket account would become defunct when he leaves Acme Corp, and could become a security problem for Acme Corp that is not in their control.

    My questions therefore are:

    1. Will Atlassian Access allow a user like John Doe to access Acme Corp Bitbucket repositories using his work Atlassian account, without having to create Bitbucket account for that work account, or by linking to his existing personal Bitbucket account (which could be decoupled by Acme)?
    2. Will Atlassian Access/Bitbucket have the feature to grant access to repositories based on Atlassian accounts (such as John Doe's work account) instead of Bitbucket accounts/usernames?
    3. The two questions above should cover the basic access or provisioning/deprovisioning requirement covered under point (a) of the illustration. Will Atlassian Access also provide deeper integration with identity providers, such that, in this example, Acme Corp could use their Active Directory security groups to control access to repositories (and even better, projects in JIRA / Confluence), per point (b) above?

    Isaac

  8. clivehoward

    Hi Issac,

    I think you must have the wrong email address as this is not anything to do with me.

    Regards,

    Clive Howard

  9. Alastair Wilkes staff

    Hi @Isaac Chua,

    Thanks for your questions!

    The short answer to your questions is no. Right now, Atlassian Access only handles authentication, not authorization. Authorization is still handled within Bitbucket using Bitbucket accounts. In the long-term we'd like to decouple these due to the reasons you listed. It makes total sense. But for now we'd recommend John Doe create a separate account for work in this case. We also recommend you add/remove users via email address instead of username.

    One point to clarify:

    John Doe would not like to create a specific Bitbucket account, such as johndoe_acme, just to link to his work Atlassian account for access. After all, this Bitbucket account would become defunct when he leaves Acme Corp, and could become a security problem for Acme Corp that is not in their control.

    In this hypothetical scenario you own the acme.com domain, meaning you can disable users' Atlassian accounts when they leave the company -- which would mean this Bitbucket account would be disabled, since no one can log in to it. So there should not be a security problem.

    Best,
    Alastair

  10. Alex Goris Account Deactivated

    @Alastair Wilkes I don't think your answer correctly corresponds to the current way Bitbucket accounts work.
    I have a 'professional' bitbucket account linked to my organisation's domain (let's stick with acme.com for this discussions sake), and yes, if I sign in during my everyday work, it is authenticating me through my Atlassian ID (which in turn uses SSO to authenticate against our AD).

    But I remember when I created this account originally (which was about a year ago) I had to enter an email address + password, and I can still use that password to log on to bitbucket today. So I'm pretty sure that even if my Atlassian ID were to be deactivated, I could still happily login using my password that I provided last year.

  11. Alastair Wilkes staff

    @dfs_alex_goris -

    Yeah, it's a bit of a weird UX right now as we temporarily have independent login forms. Even though you put in your password on the Bitbucket form, that's not actually logging you into Bitbucket in your case. We're just using that input to know that we need to redirect you to Atlassian account to log in with SSO. If your account were disabled, you'd get stopped at that point. In addition, if you try to use your password to authenticate using Git, for example, you should get an error telling you to use an Atlassian account API token because your account is SSO-bound. And if your account

    The UX issue is that the redirect only works if you put in the correct Atlassian account password, which is a bug we need to fix - it should send you to log in with SSO regardless of the password field, because your password doesn't matter (and many SSO-bound users don't even have passwords). This issue will also go away when we move to using the Atlassian account login form for all website auth, which should happen very soon.

  12. Benjamin Bytheway

    Is Atlassian Access still not available to bitbucket-only customers, or has that restriction been lifted? I haven't been able to find anything in the Access documentation that referenced this restriction as still being in place.

  13. Douglas Martin

    You're right Ben. All of the marketing material and documentation seems to make it pretty clear that Atlassian Access can work with BitBucket, and makes no mention of BitBucket-only customers not being eligible:

    https://confluence.atlassian.com/cloud/security-with-atlassian-access-938859736.html?ga=2.174494177.2114750150.1541604968-1271905565.1533763046&_gac=1.51671003.1541634197.CjwKCAiAt4rfBRBKEiwAC678Kex2USrpsvFvmSrapiauxULzfPZcHFWhE-nQWa0odFKBsYOJM-rwhoCba8QAvD_BwE#SecuritywithAtlassianAccess-Productavailability

    It'd be great to receive some confirmation one way or another about the validity of the supposed BitBucket-only restrictions.

  14. Olivier Lacroix

    I believe this has now been resolved. I am a bitbucket-only customer and have been able to setup Atlassian access for SSO successfully.

  15. Johan Eckerström

    Thanks for the good news! Is there any instructions on how to set it up for Bitbucket and Azure AD?

  16. Log in to comment