A pop-up survey could appear while you're here--curious what it's for? Click here to learn more!

×
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JSM portal-only customers SSO with Entra ID redirects to login.live.com

Julien Béchade
Julien Béchade
Contributor
September 14, 2025

Hi,

I'm a bit puzzled. I followed this guide https://confluence.atlassian.com/cloudkb/configure-saml-single-sign-on-for-portal-only-customers-with-entra-id-formerly-known-as-azure-ad-1541081409.html to set up SSO for portal-only customers but it always redirects to https://login.live.com/oauth20_authorize.srf and not to our actual Entra ID login page.

I went over the guide many times to make sure I did not omit something or made a mistake. The request is actually reaching https://login.microsoftonline.com/{{uuid}}/saml2, the entreprise app. login URL, but is redirected to login.live.com from there so the issue is definitively in Entra ID.

Did anybody stumble upon this issue and resolved it?

 

Screenshot 2025-09-14 192909.png

Screenshot 2025-09-14 191636.png

 

Answer
Watch
Like Be the first to like this
116 views

2 answers

1 vote
Marc - Devoteam
Marc - Devoteam
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 15, 2025

Hi @Julien Béchade 

You could look at this previous community post

https://community.atlassian.com/forums/Jira-Service-Management/Portal-only-customer-SSO-with-Azure-B2C/qaq-p/2738020

View More Comments
Julien Béchade
Julien Béchade
Contributor
September 15, 2025

This is gold, thank you @Marc - Devoteam

Like
Julien Béchade
Julien Béchade
Contributor
September 15, 2025

That article https://www.camiloterevinto.com/post/azure-b2c-atlassian-sso listed on the post you linked to was very informative and straight to the point.

Like Marc - Devoteam likes this
Marc - Devoteam
Marc - Devoteam
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 15, 2025

Hi @Julien Béchade 

Please accept my answer as a solution, if my answer helped to solve or provide a workaround to your request.

This will help other community member trying to solve the same or provide them with a work around

P.S. If the answer is very valuable to you, please share some kudos.

Like
Julien Béchade
Julien Béchade
Contributor
September 16, 2025

Happy to @Marc - Devoteam! But both answers are correct and helped me a lot.

Like
Reply
1 vote
Christos Markoulatos
Christos Markoulatos
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 15, 2025

Hi @Julien Béchade 

This happens because of Home Realm Discovery (HRD) in Microsoft Entra ID. When a user enters an email address that Entra doesn’t recognize as part of your managed domains (for example, @gmail.com or @outlook.com), Entra assumes it’s a Microsoft Account (MSA) and sends the user to the consumer login service at login.live.com.

The Atlassian guide you followed sets up SAML SSO using an Enterprise App in your workforce tenant. That works perfectly for your employees or guests in your tenant, but it cannot authenticate random external users unless they exist in your tenant or you use a customer identity solution.

Option 1: B2B (Guest users in your tenant)

  • Invite external customers as guests in your Entra tenant (or enable self-service sign-up).
  • They can sign in with their Microsoft Account or their own Entra account.
  • Your Enterprise App will then issue the SAML assertion to Atlassian.

Option 2: External ID / B2C

  • Use Microsoft Entra External ID (B2C) for a true customer-facing identity solution.
  • B2C supports:
    • Microsoft Accounts (MSA)
    • Social logins (Google, Facebook, etc.)
    • Local accounts
  • Atlassian accepts any SAML 2.0 IdP, so you configure Atlassian to trust your B2C policy endpoints (which look like https://<tenant>.b2clogin.com/...).

 

For true external customers, you need B2B or B2C.

Microsoft Entra B2B best practices and recommendations - Microsoft Entra External ID | Microsoft Learn

What is Azure Active Directory B2C? | Microsoft Learn

Hope this helps 😊

View More Comments
Julien Béchade
Julien Béchade
Contributor
September 15, 2025

Hi Christos,

Thank you for taking the time to answer! This definitively helps 🙏

It does make sense that an entreprise app. is scoped to the managed domain.
But we happen to have a B2C tenant so option 2 it is.
However, I'm not sure how to "configure Atlassian to trust your B2C policy endpoints" to match Atlassian requirements. Any pointers?

Screenshot 2025-09-15 104553.png

Like
Julien Béchade
Julien Béchade
Contributor
September 15, 2025

Ok so it looks like I would first need to create a SAML app. in B2C following this guide https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy. Am I on the right track?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security