Note: This Page is no longer actualised. For more updated information please see below:

Setup Guides:


It’s also possible to connect Atlassian JIRA and Confluence with Azure AD or GSuite, check the setup guides below, and start your 90 days free trial. 



This article describes the ADFS configuration necessary for SAML Single Sign On to work.

Prerequisites

Configure ADFS for JIRA/Confluence single sign on

Open the AD FS 2.0 Management Console and select Add Relying Party Trust to start the Add Relying Party Trust Wizard and click Start.

 

Select Enter date about the relying party manually and click Next.

Specify a display name of your choice and click Next.

Select AD FS 2.0 profile and click Next.

Just click Next on the Configure Certificate Page.

Select Enable support for the SAML 2.0 WebSSO protocol and configure the URL to the SAML plugin URL as Relying party SAML 2.0 SSO service URL.

This URL has the format https://<baseUrl>/plugins/servlet/samlsso

So if your Confluence (or Jira) is running at https://confluence.yourcompany.com/ the URL is https://confluence.yourcompany.com/plugins/servlet/samlsso

Click Next

Enter the same URL as Relying party trust identifier and click Add to add it to the list. Click Next.

 Select Permit all users to access the relying party and click Next.

This configuration defines that ADFS returns any authenticated user to Confluence or Jira. If this user's userid is not found there, JIRA or Confluence will deny access.

Just click Next on the next page, tick Open the Edit Claim Rules dialog and click Close.

 

The Edit Claim Rules Window opens. I the first tab, click Add Rule

Select Send LDAP Attributes as Claims and click Next.

Enter a name of your choice for the rule. Select Active Directory as Attribute store. Select the LDAP Attribute containing the Confluence/JIRA userid and Name ID as Outgoing Claim Type. Click Finish.

Click OK to save the settings.

Export the ADFS token signing certificate

The SAML response coming from ADFS is signed to insure that the authentication is coming from the correct Identity Provider. To validate this signature, the certificate has to be exported from ADFS and configured in the plugin configuration.

In the ADFS management console, click the Certificates folder and double-click on the Token Signing certificate.

Click the Details tab and the Button Copy To File.

Export the certificate as Base-64 encoded X.509 (.CER)

   

Open the exported file in a text editor and copy the content into the clipboard for the next step.

Configure the plugin

Open the SAMLSSO plugin configuration at https://<confluence/jira-url>/plugins/servlet/samlsso/admin or by clicking Configure  in the Plugin Manager.

Enter the appropriate settings and click Send.

Setting Description Example
IdP URL URL on ADFS where the SAML authentication requests are sent to, usually https://<your-ADFS-server>/adfs/ls https://adfs.example.com/adfs/ls/
Default redirect URL

Relative URL on JIRA or Confluence to redirect to after successful login if no specific URL was called. This is usually the case if the samlsso-Servlet is opened directly.

This value is usually just /.

/
Login page URL If the SAML login fails, a link to the username/password login page is displayed in the error page. For Confluence, this is usually /login.action, for JIRA /login.jsp /login.jsp
Redirect login requests If this box is checked, JIRA/Confluence redirects to the samlsso-Servlet (which redirects to ADFS) instead of the login page. If this is box is not checked, single sign on only works if the samlsso-Servlet is called directly at https://<confluence/jira-url>/plugins/servlet/samlsso.
IdP Certificate

Paste the BASE64-encoded Token Signing Certificate here.

If you leave this field empty, the SAML response signature validation is disabled. This can be useful for testing and troubleshooting, but it's strongly recommend to enable the validation. Otherwise, attackers could gain access by sending fake SAML-responses.

After clicking Send, the certificate is shown in the field below in readable form.