I was in touch with Atlassian support and we were able to resolve this issue.
About authentication-policy-strategy-mismatch error:
Usually we see the below error when SAML SSO is not enforced on the managed user account using authentication policy in Atlassian and user tries to login with IdP initiated SAML SSO or in the SAML response you are passing different user email as NameId on which SAML SSO is not enforced.
To resolve the issue could you please add this managed user Atlassian account to an authentication policy in which SAML SSO is enforced.
However, account could be ‘managed’ only if it belongs into verified domain.
Q. So SSO could use only managed users? Which have to have verified domain? I cannot use @gmail.com emails?
A: Yes, currently the Atlassian cloud does not have a feature to enforce SAML SSO for “external” users (users whose domain is not verified by your organization).That being said, we are already working on improving security controls for external users, and the following is the corresponding public feature request:
- ACCESS-1362 - Enforce SSO for users on unverified domains (external user security).
So I can use Auth0 + Atlassian SSO, but only with emails from verified domains, which is not very useful, if I have external users/customers.
Regards,
Dmitrij