Are you interested in Atlassian as your Identity Provider? (Login with Atlassian)

Hey Marketplace Vendors,

I’m Nehal, a Product Manager in Identity, at Atlassian.

We have been considering a ‘Login with Atlassian’ functionality for our third party cloud vendors.

We envision this to be exactly how you imagine SSO currently, but with Atlassian as the identity provider where the addition of this functionality will:

  • Create a seamless login experience for any customer with an Atlassian Account to move between products and apps, and
  • Reduce the implementation efforts for end-user authentication on your end.

We’re interested in hearing your thoughts about Atlassian as an Identity Provider and whether you see a need for this functionality.

If this piques your interest, please express this by filling in this form, and we will reach out to you accordingly.

Cheers,
Nehal

8 Likes

I have been waiting for something like this. I have filled-up the form.

Atlassian Access is costly if we want to use it for each one of our customers. I hope “Login with Atlassian” will solve this problem.

This is a Bad Idea.

I’ve lost count of the number of times I’ve failed to get Atlassian to take security seriously, and no-doubt everyone remembers the decade or more it took to convince Atlassian to add 2FA, and even then they went for 30±year-old OTP instead of anything properly secure.

What most people do not see, is what security vendors like myself do: the incomprehensible resistance Atlassian put forward when we try to get them to look at improvements. Long story short - impossible; nothing whatsoever convinces them that it’s worth improving their customer protection. They join the chorus of “Vendor Bashing” and treat us like the enemy, instead of actually thinking for themselves, or heaven-forbid actually testing anything. Vendors spend $millions making tools to keep you safe. It is not evil to try selling these.

There is no better way to test how secure a company is, than by trying to sell them improved security. If they do not even look at a solution that offers tangible benefits, they should never be trusted to manage your identity. Simple.

1 Like

Hey @ChrisDrake, thanks for sharing this open and honest feedback.

Overseeing our roadmap for Ecosystem Platform security (in collaboration with supremely talented folks like @mhart and @hbalasundaram who work full-time in this area), I can say unequivocally that improving customer protection is not only absolutely top-of-mind for us, but directly translating into improvements in our security posture through engineering and program investment (at the Atlassian and Eco level). This isn’t a PR post, and I’m not here to plug landing pages, but the Security and Marketplace App Security pages give a nice overview of how seriously we take this, and the steps we’ve taken so far (minimum security requirements for apps, Marketplace bug bounty, and the security self-assessment to name just a few).

I can see the passion and frustration in your response, though – we’re always open to hearing from you folks on anything more we can be doing. Hari, Matt, and myself are available for a chat at any time to talk more about security and hear your thoughts, ideas, and opinions – just shoot me a DM to arrange, we’d be more than happy to make the time and share context around particular decisions and the initiatives we believe will have the highest impact on our overall security posture.

Thanks again for sharing :slight_smile:

1 Like

Hi Simon - thanks for your personal reply!

I’m never quite sure how to deal with these kinds of responses. One the one hand, I have first-hand experience of sitting inside Atlassian Offices, many times, observing abject staff disregard for security. I’ve had forum posts deleted to hide security your problems, I’ve observed YEARS of customer complaints across forums begging you to add security, while at the same time had your company refuse to even look at my own product which immediately solved those problems that all your users were calling out for. Time and time again, nothing I can say or do convinces anyone in Atlassian to fix security problems, or to look at security products, or to make my on-prem Atlassian security add-in available to your cloud users, or even to make minor security-enhancing adjustments to allow vastly improved security options for your users. This is not opinion or rumor or heresay - this is my own personal first-hand observation. Atlassian treats security vendors as “the enemy”, and does everything in its power to stay away from us. To be fair - “Vendor Bashing” is a global problem, but, given that you’re Australian, I’m Australian, and your own CISO at the time was a huge Aussie-Backer - it’s especially saddening.

And then, on the other hand, you say “This isn’t PR” and then post 2 links to PR web pages that I know for certain are a huge misrepresentation of how your staff really behave when the PR folk leave the room.

I spent so much time banging my head against the Atlassian wall, that in the end I just gave up.

I am firmly of the belief that it should NOT be the job of the Vendor to sell you security that you need. It SHOULD BE YOUR JOB to find the most-secure contemporary solutions that adequately protect your users. Unfortunately we don’t see this taking place. e.g. you’d rather use OTP tech from 1984 without paying any attention to its lack of efficacy in 2020, because “that’s what everyone else is doing”. The very idea of getting something that works, even when vendors are slapping you in the face with amazing new products, doesn’t even cross your mind.

Security Culture takes more than a warm fuzzy PR web page - it takes meaningful action, and the courage to think for yourself and work out what is secure and why and how, instead of just copying everyone else. You’ve seen the charts, right? Global security is continually getting worse. You can’t turn that around by copying other people, you need to think, test, and do stuff that works.