Authentication policy settings for your organizations

Who can do this?
Role: Organization admin
Atlassian Cloud: Atlassian Guard Standard to create more than one authentication policy and apply single sign-on (SSO), two-step verification, and user API token settings
Atlassian Government Cloud: Available

With authentication policies, you configure settings for different sets of users. These sets of users come from your managed accounts. When you test settings on a subset of users, you reduce the risk of rolling out an error to your entire organization.

The settings you can configure through authentication policies are:

Setting	Description	Available for Atlassian Cloud ✅ when setting requires Atlassian Guard Standard	Available for Atlassian Government Cloud
Single sign-on through SAML or Google Workspace	Enforce members to log in to Atlassian products with your identity provider.	✅	Only SAML, not Google Workspace
Two-step verification	Require members to set up and use a second step when logging in.	✅	Check your identity provider
Two-step verification	Make it optional to set up and use a second step when logging in.	Included by default	Not available
User API tokens	Control whether members create new or use existing API tokens to authenticate to your organization’s product data.	✅	Available
Third-party login	Allow members to log in to Atlassian products with third-party accounts.	Included by default	Not available
Third-party login	Prevent members from logging in to Atlassian products with third-party accounts.	Included by default	Not available
Password requirements	Choose minimum strength for user passwords.	Included by default	Check your identity provider
Password requirements	Choose when a password expires.	Included by default	Check your identity provider
	Choose how long members can be idle before we log them out.	Included by default	Available

Single sign-on (SSO)

SSO allows your users to log in using your organization's identity provider to access all your Atlassian cloud products. Create one authentication policy to test an SSO configuration on a few accounts before turning it on for your whole organization.

Set up SSO for SAML or Google Workspace

When you select SAML SSO, you’re redirected from the authentication policy to the SAML SSO configuration page. Learn how to configure SAML single sign-on.

When you select Google Workspace, you’re redirected from the authentication policy to the Google Workspace setup page. Learn how to set up Google Workspace

Once you’re done configuring SAML SSO or Google Workspace SSO, you need to enable SSO in the policy.

To enable SSO:

Go to admin.atlassian.com. Select your organization if you have more than one.
Select Security > Authentication policies.
Select Edit for the policy you want to enforce.
Select Enforce single sign-on.

Warning: What happens if you enforce SSO on users who are not in an identity provider?
If you enable SSO login on users who are not in the identity provider, the users can’t log in to Atlassian products. Create another policy for these users that does not enable SSO to login.

Enforce two-step verification

Two-step verification adds a second login step. The second step keeps the user accounts secure even if the password is compromised. When account logins are secure, your organization's products and resources are safer.

You can require members to set up and use a second step when logging in or make it optional.

If you enable SSO, you can only set up two-step verification in your identity provider and not your authentication policy. Learn how to enforce two-step verification

Control whether members can log in to your products with third-party accounts such as Google, Microsoft, Apple and Slack accounts.

If you enable SSO, you can only manage third-party logins in your identity provider and not in your authentication policy.

User API tokens

Users create API tokens to authenticate themselves into an organization and to run scripts. Members can access your organization's product data with Atlassian’s product APIs. User API token settings control whether members can make API calls with an API token to your organization's products.

By default, your organization's user API token settings are set to allow access. With the user API token setting, you can allow or block members from:

Creating a new API token
Using an existing API token

To block user API tokens:

Go to admin.atlassian.com. Select your organization if you have more than one.
Select Security > Authentication policies.
Select Edit for the policy you want to block.
Select Block members from creating a new or using an existing API token.
Select Update.

Amount of time to update user API tokens

When you allow or block user API tokens, we apply the update the next time a member tries to make an API call with a token to run a script into your organization.

It can take up to 10 minutes to complete the update. If a member tries to access your products with a user API token before we complete the update, they can still access the organization.
Learn about how users manage API tokens

Password requirements

You can choose the minimum strength that all passwords must comply with. By default, passwords do not expire. However, you can set an expiration period by defining the number of days for password expiration.

If you enable SSO, you can only set up password requirements in your identity provider and not your authentication policy.

Idle session duration

Idle session duration is the amount of time a member stays logged in before we log them out, and they have to log back in. Learn how to update idle session duration

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Still need help?

The Atlassian Community is here for you.

Ask the Community