SAML Single Sign-OnSAML Single Sign-On
Try For Free

OpenID Connect for Keycloak with User Sync

Goal

Configure SAML Single Sign-On to work with Keycloak, using Just-in-Time provisioning to automatically create and update users during Single Sign On.

Prerequisites

  • Identity Provider Keycloak

  • Your Atlassian application must be accessible via HTTPS. (read more about it in the Atlassian documentation, i.e. for Jira or Confluence)

Step-by-Step Setup Guide

This setup guide describes how to complete the initial setup for SAML Single Sign On (SSO) Add-on with Keycloak,
applicable for Add-on version starting 3.1.0. If you need any further support, please feel free to contact us here


Install the SAML SSO App


In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.


After the installation is complete, click Manage Apps/Addons



Install-25-loop.gif



Configure UserSync

Configuration in the Keycloak Web Console

Login to your Keycloak instance with administrator privileges and enter the Administration Console

welcomeToKeycloak.png


Select the realm of the users who should be synchronized and click on Clients in the left-hand navigation bar.
Click on the Create client button of the client view to register a new client for the User & Group Sync connector

create_client.png


Provide a name for the Client ID and make sure that the Client type is OpenID Connect and click on Next.

client_id.png


In the Capability config tab, enable both the Client authentication and Authorization options, and have the other options as the following screenshot, then click on Next:

capability_conf.png

Keep the settings in the next tab as is, and click on Save.

login_settings.png


The following assignment might not be required, when registering a client in the master realm.


Switch to the Service account roles tab and click on the Assign role button.

assign_role.png

Select "Filter by clients" and search for "manage-users" then click enter. Choose "realm-management / manage-users" and click on Assign.

manage-users.png

The settings should look like the below now:

service_accounts_roles.png

Go to the Credentials tab, and copy the Client secret. You may regenerate it any time. 

client_secret.png

Configuration in User & Group Sync Configuration page

Navigate to the administration console for Jira, Confluence, or Bitbucket 

Confluence: search for USERS & SECURITY under which you'll find User & Group Sync
Jira: navigate to the User management tab in which you'll find User & Group Sync
Bitbucket: navigate to Administration/ Accounts you'll find User & Group Sync listed here

Click on Add Connector and choose Keyloak Connector.

add connector.png

Set a name, insert your Keycloak URL appending /auth at the end, and provide

  • realm name

  • client-id

  • secret

as per your Keycloak setup earlier. Use the Save and Test Connection button to check if User Sync can connect to Keycloak successfully.

Screenshot 2023-04-26 at 14.19.15.png

To schedule a periodic synchronization of your Keycloak directory with User & Group Sync, click on Show Advanced Settings at the very bottom of the page.
Enable Scheduled Synchronization needs to be checked, the default cron expression would then cause a sync every day at 2 am.

Click Save and Return to finish the configuration.

schedule.png



Configure SAML SSO


For the next steps, please go to Manage apps (or addons), choose SAML SSO and click Configure.

First Steps - Wizard

After you clicked "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
The Wizard greets you with information, click on "Add new IdP" to proceed.

welcome_wizard_add_newidp
welcome_wizard_add_newidp


Select Keycloak for your identity provider and select OpenID Connect for the authentication protocol. Enter a unique name and click Next to continue. 

select.png


Copy the callback url to your favourite text editor. 
2 servlet link.png


Go to your Keycloak server and choose your realm. Then go to Clients and click Create.

1 clients.png


Enter a Client ID. That must be unique. Click Save to continue.

2 create client.png


Next, scroll down and choose confidential for the Access Type. For the Valid Redirect URIs enter the callback URL from before.

3 acc type.png


Next, click Save and reload the page. Without reloading, the options for the next step is not displayed!

4 save.png


After reloading the page, go to the Credentials tab. Without reloading, the tab is not displayed!

5 creds.png


Copy the secret to your favorite text editor, we will need it soon.

6 secret.png




Enter your Keycloak Base Url and Keycloak Realm, next click Generate Metadata Url.

realm and baseurl.png


Click Import Metadata.

Import.png


You will see this message if the import was successful.
5 success.png


To finish the wizard, click Save and Close.

Screenshot 2021-12-08 at 11.06.14.png


Next, scroll down to the User Creation and Update section. Choose Update with UserSync for the User Update Method.
1 user update method.png

Choose the connector you have created before and click Save.
Screenshot 2021-12-14 at 11.05.48.png


Testing SSO


To test you configuration, go to the System & Support section of the app and scroll down to the Tracker List.

1 System & Support.png

Click New Tracker. If you have more than one identity provider configured, you must choose which configuration should be used for the log in test.
2 tracker.png

Copy the test url and open the link an incognito web browser. If something goes wrong during the test, you can easily create a support ticket that includes this tracker by click Contact Support. Additionally, you can contact us by going to https://www.resolution.de/go/support or booking a free meeting via https://www.resolution.de/go/calendly.

3 Test.png


Redirect to SSO


After a successful test, the next step is to configure the redirection. With the redirection setting, the app can automatically redirect users to log in via OpenID Connect.

Go change this setting, go to Redirection from the middle panel.

By checking Enable SSO Redirect, users will get redirected to the configured SSO provider for login. If you are running JSM, you find a second option below. 

Click Save to finish the configuration
Screenshot 2022-01-11 at 13.22.40.png


If Enable SSO Redirect is enabled, you can login to your Atlassian application manually by browsing to the URL that fits your Atlassian application as listed below.
Use this URL, if you need to login a local user unknown to the Keycloak or if there are any issues with Single Sign On.

  • Jira: https://<baseurl>/login.jsp?nosso

  • Confluence: https://<baseurl>/login.action?nosso

  • Bitbucket: https://<baseurl>/login?nosso

Back to Top

This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other