Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Group Attributes in a SAML Response from Ping Federate
Problem
Ping Federate does not send group names as required by our SAML SSO app to provide full Just-In-Time (User Provisioning) support.
It might only send all the group names as one comma-separated string, i.e. in the "MemberOf" attribute.
While this is good enough to do basic things, i.e. group transformation rules, it won't suffice if you really want our SAML SSO app to create multiple groups in your Atlassian instance.
For that to work, groups names need to be sent as multi-valued attributes as in the example below.
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Everyone</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">test-test</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">testuser</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Solution
The article from Ping below describes how to use Object-Graph Navigation Language (OGNL) to accomplish that, based on a LDAP memberOf Attribute.
https://support.pingidentity.com/s/article/How-to-process-a-LDAP-multi-valued-attribute-and-return-it-as-a-multi-valued-SAML-attribute673515
Depending on your exact Ping version, OGNL might not be available. We do know that it is at least for Ping Federate.