Starting with version 0.14, users can be created and updated during the SAML login process.

Following Attributes are needed in the user creation process (otherwise the creation process will fail):


Application Attribute
JIRA Userid, Full name, Email Address
Confluence Userid
Bitbucket Userid, Full name, Email Address

If an user is created by the plugin, this user is tagged in the directory. Only users with this tag are updated on following logins (except feature Update existing users is active).

So if you have created the user within JIRA or the user comes from an LDAP-directory, the user is not updated if the data in the SAML response differs from the user data. This especially applies to group memberships. So if you need to change group memberships within JIRA, create the user locally.


In Confluence, there must be a group "confluence-administrators" with at least one user in it, otherwise user creations/updates will fail. If the internal directory is disabled, insure that the group is available in the external directory.

Configuration

  • Set up your Identity Provider to deliver attributes for userid, email address, full name and optional group assignments in the reponse. 

    The SAML Response can be found in the JIRA/Confluence/Bitbucket log file (atlassian-[jira/confluence/bitbucket].log) with enabled plugin DEBUG log output (Here you find the instructions regards to enable DEBUG logging: https://wiki.resolution.de/display/SSSO/Troubleshooting).

    This is an example SAML Response for a user "camilla" with full name "Camilla the Chicken", email address "camilla@muppets.com" and groups "jira-testgroup1,jira-testgroup2":

    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://jira7sd.lab.inserve.local/plugins/servlet/samlsso" ID="_2d7d3fe5-a2a1-45b5-93de-a39e27d7ff2d" InResponseTo="ldjedifipldjoefccdnlomjmlebmmieomblnfopn" IssueInstant="2016-02-11T22:01:28.284Z" Version="2.0">
          <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://dc01.ad.lab.inserve.local/adfs/services/trust</Issuer>
          <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
          </samlp:Status>
          <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_958e90f3-5d10-4d92-b376-45b9bb6db68d" IssueInstant="2016-02-11T22:01:28.284Z" Version="2.0">
            <Issuer>http://dc01.ad.lab.inserve.local/adfs/services/trust</Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
             ...
            </ds:Signature>
            <Subject>
              <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="enefpfnmgckjadiephjbdhacakigkiooonkonjgl" NotOnOrAfter="2016-02-11T22:27:46.519Z" Recipient="https://jira7sd.lab.inserve.local/plugins/servlet/samlsso"/>
              </SubjectConfirmation>
            </Subject>
            <Conditions NotBefore="2016-02-11T22:22:46.503Z" NotOnOrAfter="2016-02-11T23:22:46.503Z">
              <AudienceRestriction>
                <Audience>https://jira7sd.lab.inserve.local/plugins/servlet/samlsso</Audience>
              </AudienceRestriction>
            </Conditions>
            <AttributeStatement>
              <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname">
                <AttributeValue>camilla</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>Camilla the Chicken</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>camilla@muppets.com</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>camilla@muppets.com</AttributeValue>
              </Attribute>
              <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
                <AttributeValue>jira-testgroup1,jira-testgroup2</AttributeValue>
              </Attribute>
            </AttributeStatement>
            <AuthnStatement AuthnInstant="2016-02-11T21:43:25.002Z">
              <AuthnContext>
                <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
              </AuthnContext>
            </AuthnStatement>
          </Assertion>
        </samlp:Response>
  • Go to the plugin configuration page. 
  • Enter or select the SAML attribute names delivered by the IdP for Userid, Full Name, Email and Group. If you have imported metadata containing friendly names for these attributes, you can use the select boxes.

     

  • Under Advanced IdP Settings check the Enable User creation or update checkbox. 
  • Flll the User Groups field with an appropriate group name (e.g. jira-core-users). Newly created users will always be assigned to this groups, no matter what groups are delivered by the IdP. 

    This field does not apply to JIRA Service Desk Customers

     


    Please know that our plugins are not able to create groups. So all groups needs to be created manually in JIRA/Confluence/Bitbucket.

  • Click Save.