Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Okta with Just-In-Time Provisioning
Goal
Configure SAML Single Sign-On to work with Okta and just in-time provisioning.
Prerequisites
- Okta Directory
- Your Atlassian application must be accessible via HTTPS. (read more about it in the Atlassian documentation, i.e. for Jira or Confluence)
Video Guide
The video below is an installation guide for setting up our SAML SSO app with Okta (watch on YouTube).
Step-by-Step Setup Guide
Find below a detailed guide on how to complete the setup of the SAML Single Sign On app with Okta and just in-time provisioning,
meaning that users from Okta are automatically created and updated in your Atlassian application, when signing in via Okta and SAML SSO.
Install the SAML SSO app
In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.
After the installation is complete, click on Manage, then choose Configure.
Now, you are on the Add-on / app configuration page and the first step of the setup wizard will appear.
Configure SAML SSO app
Should you not have clicked on Configure immediately after the installation of the SAML SSO app:
To start the wizard and to configure Okta as your new identity provider, navigate to the administration console for
Jira or Confluence.
Confluence: search for USERS & SECURITY under which you'll find SAML Single Sign On
Jira: navigate to the User management tab in which you'll find SAML Single Sign On
Click on it and the wizard start page will show.
Add new Identity Provider (IdP)
Click on Add new IdP to start the wizard.
Adding a new IdP can also be done outside the wizard in the app configuration section Identity Providers
Select Okta as IdP Type.
You may also change the name and add a description. The name needs to be unique.
Click on Next.
Retrieve SAML Metadata for Okta
Copy the Single sign-on URL from the screen, you'll need it in your Okta configuration web console. Click on Next.
Configure Okta
Create Application
Now it's time to head over to Okta. Make sure you're logged in as Admin. Choose Applications from the menu bar:
Click on Add Application
Click on Create New App
Select Web as platform and choose SAML 2.0 as Sign on method in the Create a New Application Integration screen.
Click Create.
Provide a meaningful App name an click next
Paste the Single Sign-On URL to both the Single sign on URL and the Audience URI (SP Entity ID) field:
Okta Attributes for Creating Users with Just In-Time Provisioning
Below in the ATTRIBUTE STATEMENTS (OPTIONAL) section you need to define the three attributes needed for
just in-time provisioning as per below screenshot:
Okta Attributes for handling Groups with Just In-Time Provisioning
Add groups as attribute name in the GROUP ATTRIBUTE STATEMENTS (OPTIONAL) section so that Okta sends
the groups as SAML attribute for just-in-time provisioning.
Change the filter type to Matches regex and add .* as regular expression so that all groups are sent or add another
regular expression and/ or change the filter type via the dropdown:
Click Next once finished.
Complete Okta Configuration
Step 3 is just providing feedback to Okta. Choose your option and click Finish
You'll be redirected to the Sign on tab from which you can copy the Identity Provider metadata by right clicking the
link of the same name.
You also need to define which users and/ or groups should be allowed to sign in via SAML SSO in Okta via the app you've created.
Switch to the Groups tab and add one ore more groups the users who should sign in with SSO are members of.
The simplest example, like below, would be to allow the group Everyone access to the app.
You could also assign individual people via the People tab to your app.
Import SAML IdP Metadata
It's time to resume configuration on the SAML SSO side. Take the Okta metadata link you've just copied and paste it
into the Metadata URL field in the corresponding field of the Import SAML IdP Metadata wizard screen still open.
User ID attribute and transformation
It's recommended to leave this option checked.
Click on Next.
User creation and update
This part of the configuration defines how just in-time provisioning is working, creating users not in the Atlassian application, but in Okta that is.
- select Update from SAML-Attributes as User Update Method
- check the Create New Users box
- select a directory to create the new users in, usually the default user directory
- if you want, you could also update users who were not created by the SAML SSO app by checking the corresponding box
enter {first} {last} as Full Name Attribute
enter email as Email Attribute
Click Save & Next to proceed.
Scroll down to the Group Settings.
Add the group as the attribute to read the groups from as configured earlier in Okta.
Depending on your Atlassian product, it is a good idea to set default user groups for new users,
such as jira-software-users for Jira or confluence-users for Confluence.
Without assigning new users to the product specific group, they are not able to use your Atlassian product.
Also, feel free to activate any option which suits your needs.
Test configuration of SAML SSO app
The last step when adding the Okta IdP is a test which can be executed by clicking on the corresponding Start test button.
Copy the link displayed and paste it into a new incognito/ private browsing window, and execute a login with your Identity Provider.
Please remember that ...
- the user your are testing with needs to be assigned to the SSO app you've just created in Okta
- the user also needs to exist in your Atlassian application already, since we are not using just in-time provisioning here
(part of the Okta with Just-In-Time Provisioning tutorial)
The status of the authentication process is permanently updated in the window.
If there is any error at this point you need help with, please refer to the troubleshooting guide, which will also help us, should you open a support ticket with us.
Of course the test window above will display a lot of information about the errors already, but requires some deeper knowledge of the SAML protocol.
Enable login redirection
The last step of adding Okta as your new IdP is to configure redirect options.
Selecting Enable SSO Redirect will ensure that users are getting redirected to be logged in via SAML,
instead via the login form as before the SSO setup.
The Override Logged Out URL Method can be left at the default option.
It will redirect users after log out to a default page where they can login again via username and password or SSO again.
Save & Close to complete the setup and close the wizard. You are now ready to use Okta with SAML SSO in your Atlassian application.
If Enable SSO Redirect is enabled, you can login to your Atlassian application manually by browsing to the URL that fits your Atlassian application as listed below.
Use this URL, if you need to login a local user unknown to the Okta or if there are any issues with Single Sign On.
- Jira: https://<baseurl>/login.jsp?nosso
- Confluence: https://<baseurl>/login.action?nosso
- Bitbucket: https://<baseurl>/login?nosso
- Bamboo 5: https://<baseurl>/userlogin!default.action?nosso
- Bamboo 6: https://<baseurl>/userlogin!doDefault.action?nosso