Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Azure AD with User Sync
Goal
After completing this setup guide, you will have setup Azure AD and your Atlassian product for the SAML SSO app and also User Sync. Additionally, you will enable the SSO redirection and test SSO.
Prerequisites
To use the SAML SSO app with Azure AD, you need the following:
- An Azure AD subscription
- A (trial) subscription for the SAML SSO app
- Admin access to your Atlassian product
Video Guide
Here you will find a detailed video guide soon.
Step-by-Step Setup Guide
Configure Azure AD for User Sync
Before configuring your app to work with SSO, you need to configure User Sync. Before you proceed with this tutorial, please first setup User Sync for Azure AD by following this tutorial.
For this tutorial, User Sync needs to be set up first before you can configure SSO.
Configure Azure AD for the SAML SSO App
Adding an Enterprise Application for the SAML SSO App
Navigate to the Azure Portal. In the left panel, click on "Azure Active Directory".
Again, in the left panel under "Manage" click on "Enterprise Applications".
Now, click on "New Application" to add a new Enterprise Application.
We created presets in the gallery to configure Azure AD for our app. Search for "resolution gmbh" and choose the version which matches your Atlassian product, e.g. "SAML SSO for Jira by resolution GmbH" for Jira. For the rest of this tutorial, the screenshots will show the Jira version of the marketplace app, but the configuration is identical for the other gallery apps.
In the next step, click "Add" to add a new enterprise application. You can also choose new name for it.
Please wait until the Azure portal redirects you to the enterprise application you just created. This can take a couple of seconds. For the next steps, you will configure the application for Single Sign On.
Configure the Enterprise Application for Single Sign On
After adding an enterprise application for the app, it must now be configured to work with your Atlassian product.
In the left panel under "Manage", choose "Single sign-on".
Click on "SAML" as the Single Sign On method.
Next, click on the pen symbol in "Basic SAML Configuration".
For the next step, you have to set the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL).
In general, the needed URL for both is "https://<base-url>/plugins/servlet/samlsso". You need to substitute "<base-url>" with the base url of your Atlassian product instance.
The gallery application already provides the needed URLs. You only have to substitute "YOURJIRASERVERNAME" with the URL of your Atlassian product instance and then click "Save".
"YOURJIRASERVERNAME" will be called differently depending on the gallery application, e.g. "YOURCONFLUENCESERVERNAME" for the Confluence version of the gallery application.
You will be redirected the "Set up Single Sign-On with SAML - Preview" page again. Scroll down to "SAML Signing Certificate" and copy the "App Federation Metadata Url". The link will be used to configure your Atlassian product for the SAML SSO app.
Deactivate User Assignment Required
In the left panel, click on "Properties". In the new window, scroll down to "User assignment required?" and set the option to "NO"
When set to "YES", users and groups must be first added to the Enterprise application before users are able to use SSO.
Click on "Save".
Configure Your Atlassian Product for the SAML SSO App
Install the SAML SSO App
In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.
After the installation is complete, click on Manage, then choose Configure.
Now, you are on the Add-on / app configuration page and the first step of the setup wizard will appear.
Configure the SAML SSO App
After you clicked "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that you there is no IdP configured.
The Wizard greets you with information, click on "Add new IdP" to proceed.
For the IdP Type, choose "Azure AD". You can also choose a name. Click on "Next" to continue.
Here, click on "Next" again. You might recognise the provided URL since you added them in Azure AD before.
Now, you will paste the App Federation Metadata Url you have obtained before. Paste the App Federation Metadata Url in the "Metadata URL" textfield.
You can also configure the plugin without the metadata XML URL. Please choose another option from the dropdown menu and proceed as the wizard guides you.
Afterwards, click on "Import".
Click on "Next" to continue.
If you configured your Atlassian product and your Identity Provider in a common way, you do not need to change anything here. In that case, just click "Next".
For "User Update Method" choose "Update with UserSync-Connector" or "Update with UserSync-Connect and apply SAML attributes". If you are unsure, use "Update with UserSync-Connector".
Please expand one of the following sections to continue.
For "UserSync-Connector", choose the one you have created before.
For the "Lookup Attribute", insert "http://schemas.microsoft.com/identity/claims/objectidentifier" into the textfield. This allows the app the add create new users which have not already been synced by User Sync in the first place.
Click "Save & Next" to continue.
For "UserSync-Connector", choose the one you have created before.
For the "Lookup Attribute", insert "http://schemas.microsoft.com/identity/claims/objectidentifier" into the textfield. This allows the app the add create new users which have not already been synced by User Sync in the first place.
Scroll down in the Wizard to "User Creation and Update from SAML Attributes". If you want your Atlassian product to create new users automatically, check "Create New Users".
There are various options you can set. For this tutorial, new users should be created automatically when first accessing your Atlassian product instance, thus tick "Create New Users".
You can also choose the directory for new users or to update non-SAML provisioned users, i.e. which are already present in your Atlassian product. By activating the option, they can also be updated via SAML attributes when they log in.
Further, the "Full Name Attribute" and "Email Attribute" must be set. Set the first to "http://schemas.microsoft.com/identity/claims/displayname" and the second to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" (both without quotation marks).
Since Azure AD only sends group ids (and not names) via SAML, ingnore the "Group settings" and click "Save & Next" to continue.
Testing SSO
The wizard also allows to test the Single Sign On. Just follow the steps to test if the login works as expected.
Click on "Start test" to proceed.
Copy the red marked link and open a new incognito/private tab or a different web browser. Then, paste the link and navigate to it. 
You will be now redirected to Azure AD's login page. Please log-in with you username and password. 
If everything worked fine, you will logged in into Jira. In theother tab/browser in which you were configuring the SAML SSO plugin, you can see also the "SUCCESS" status, if everything worked as expected. Click "Next" to proceed.
SSO Redirection
As a last step, you can set the "Enable SSO Redirect" option. If set, all users will be redirected to Single Sign On, thus they will be logged in via the IdP. Click on "Save & Close" to finish the configuration.
