Skip to content

Example ADFS Configuration

Note: This Page is no longer actualised. For more updated information please see below:

Setup Guides:


It’s also possible to connect Atlassian JIRA and Confluence with Azure AD or GSuite, check the setup guides below, and start your 90 days free trial. 



This article describes the ADFS configuration necessary for SAML Single Sign On to work.

Prerequisites

Configure ADFS for JIRA/Confluence single sign on

Open the AD FS 2.0 Management Console and select Add Relying Party Trust to start the Add Relying Party Trust Wizard and click Start.

screenshot_66.jpg screenshot_67.jpg

Select Enter date about the relying party manually and click Next.

screenshot_68.jpg

Specify a display name of your choice and click Next.

screenshot_70.jpg

Select AD FS 2.0 profile and click Next.

screenshot_71.jpg

Just click Next on the Configure Certificate Page.

screenshot_72.jpg

Select Enable support for the SAML 2.0 WebSSO protocol and configure the URL to the SAML plugin URL as Relying party SAML 2.0 SSO service URL.

This URL has the format https://<baseUrl>/plugins/servlet/samlsso

So if your Confluence (or Jira) is running at https://confluence.yourcompany.com/ the URL is https://confluence.yourcompany.com/plugins/servlet/samlsso

Click Next

screenshot_73.jpg

Enter the same URL as Relying party trust identifier and click Add to add it to the list. Click Next.

screenshot_74.jpg

 Select Permit all users to access the relying party and click Next.

This configuration defines that ADFS returns any authenticated user to Confluence or Jira. If this user's userid is not found there, JIRA or Confluence will deny access.

screenshot_75.jpg

Just click Next on the next page, tick Open the Edit Claim Rules dialog and click Close.

screenshot_76.jpg screenshot_77.jpg

The Edit Claim Rules Window opens. I the first tab, click Add Rule

screenshot_78.jpg

Select Send LDAP Attributes as Claims and click Next.

screenshot_79.jpg

Enter a name of your choice for the rule. Select Active Directory as Attribute store. Select the LDAP Attribute containing the Confluence/JIRA userid and Name ID as Outgoing Claim Type. Click Finish.

screenshot_80.jpg

Click OK to save the settings.

screenshot_81.jpg

Export the ADFS token signing certificate

The SAML response coming from ADFS is signed to insure that the authentication is coming from the correct Identity Provider. To validate this signature, the certificate has to be exported from ADFS and configured in the plugin configuration.

In the ADFS management console, click the Certificates folder and double-click on the Token Signing certificate.

screenshot_95.jpg

Click the Details tab and the Button Copy To File.

screenshot_96.jpg

Export the certificate as Base-64 encoded X.509 (.CER)

screenshot_97.jpg screenshot_98.jpg screenshot_99.jpg screenshot_100.jpg

Open the exported file in a text editor and copy the content into the clipboard for the next step.

screenshot_101.jpg

Configure the plugin

Open the SAMLSSO plugin configuration at https://<confluence/jira-url>/plugins/servlet/samlsso/admin or by clicking Configure  in the Plugin Manager.

screenshot_102.jpg

Enter the appropriate settings and click Send.

Setting

Description

Example

IdP URL

URL on ADFS where the SAML authentication requests are sent to, usually https://<your-ADFS-server>/adfs/ls

https://adfs.example.com/adfs/ls/

Default redirect URL

Relative URL on JIRA or Confluence to redirect to after successful login if no specific URL was called. This is usually the case if the samlsso-Servlet is opened directly.

This value is usually just /.

/

Login page URL

If the SAML login fails, a link to the username/password login page is displayed in the error page. For Confluence, this is usually /login.action, for JIRA /login.jsp

/login.jsp

Redirect login requests

If this box is checked, JIRA/Confluence redirects to the samlsso-Servlet (which redirects to ADFS) instead of the login page. If this is box is not checked, single sign on only works if the samlsso-Servlet is called directly at https://<confluence/jira-url>/plugins/servlet/samlsso.


IdP Certificate

Paste the BASE64-encoded Token Signing Certificate here.

If you leave this field empty, the SAML response signature validation is disabled. This can be useful for testing and troubleshooting, but it's strongly recommend to enable the validation. Otherwise, attackers could gain access by sending fake SAML-responses.

After clicking Send, the certificate is shown in the field below in readable form.