If a Jira/Confluence/Bitbucket/Bamboo migration/clone to a new server with a changed Host/Base URL (e.g. Dev/Prod/Staging instance) has been done/created, please take care of the following points regarding the SAML SSO add-on within the new instance:
- Because the Base URL has changed, you need to ensure that the SAML SSO Entity ID (under SAML SingleSignOn Plugin Configuration -> Service Provider -> Service provider settings) has the correct Base URL information of your new instance (https://<New-BaseURL>/plugins/servlet/samlsso).
- If you either use the Signed Authentication Request or the Encryption funtionality, a new certificate is required, because the certificate includes the old BaseURL information. To create a new one, go to the SAML SingleSignOn Plugin Configuration -> Service Provider -> Signing and encryption -> click on the button Generate new Private Key and Certificate. Save the configurations.
The above changes must be communicated to the Identity Provider. The recommended way is to update your Identity Provider via SAML SSO metadata (https://<New-BaseURL>/plugins/servlet/samlsso/medata). When your Identity Provider doesn't support metadata imports, you need to update following information manually:
- Identifier/Entity ID = https://<New-BaseURL>/plugins/servlet/samlsso
- Assertion Consumer Service URL (ACS) (also called Sign On URL) = https://<New-BaseURL>/plugins/servlet/samlsso
- Signing and Enryption Certificate = SAML SingleSignOn Plugin Configuration -> Service Provider -> Signing and encryption
For AD FS via metadata
- Open the AD FS application on your AD FS server.
- Open your Relying Party Trusts.
- Open the Properties for the specific Relying Party Trust → Monitoring
- Update the Relying party's federation metadata URL (https://<New-BaseURL>/plugins/servlet/samlsso/medata)
- Click on Apply/OK to save the settings.
- Right click on the Relying Party Trust -> Update from Federation Metadata. (If this fails, please check if have you defined the correct metadata URL one step above.
- Check if the Identifiers, Encryption and Signing sections have included the correct information.
- Click on Update.