JIRA SSO Plugin from Resolution GmbH also enables you to SAML Single Sign On (SSO) to JIRA Service Desk.

Starting with version 0.13, JIRA SAML Single Sign On (SSO) allows authenticating users on the JIRA 7 Service Desk Customer portal (https://<jira>/Servicedesk/Customer/portal).

Existing users can be authenticated (and updated) and new users can be created on the fly during login (see Create or update users through SAML Attributes).

In general, users will be assigned to groups that are included in the SAML-Response from the IdP. In addition to these groups, Customers will be added to the group specified in the configuration field JIRA SD Customer Groups:

Do not add SD Customers to a group giving application access (e.g. jira-servicedesk-users), otherwise licenses will be consumed for these users

The SAML SSO Authenticator

With the upcoming release 0.15.1, this will be no longer relevant. Service desk user authentication is working without further configuration then.

JIRA 6.4 allowed a workaround to authenticate Service Desk users which could be implemented within the SAML Single Sign On-plugin. Starting with JIRA 7, this no longer works.

Now it's necessary to install this authenticator: samlsso-authenticator-1.1.1.jar

With versions prior to 1.1, directory sync issues could occur if JIRA is used as user directory for other applications like Confluence. Please ensure to have the JAR updated.


To install:

  • Copy the JAR file to your JIRA installation directory under <jira-installation>/atlassian-jira/WEB-INF/lib

    If there are older samlsso-authenticator-jars in the lib-folder, insure to delete those. There must be only one version on the classpath.

  • Modify  <jira-installation>/atlassian-jira/WEB-INF/classes/seraph-config.xml:
<!-- Comment out the JiraSeraphAuthenticator -->
<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/> -->
<!-- Add this line to enable the JiraSsoAuthenticator -->
<authenticator class="com.resolution.samlsso.authenticator.JiraSsoAuthenticator"/>

  • Restart JIRA to enable this change.

If the authenticator is installed correctly, the information "The SAMLSSOAuthenticator is installed in this system." should be displayed:


Adding this Authenticator should have no impact on an existing system. It inherits from JiraSeraphAuthenticator and adds an additional method to create one-time tokens.

This method is called by the SAMLSSO-Servlet within the Plugin and the retrieved token is added to a redirected request to perform the authentication.