Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
SAML SSO and Atlassian Jira User Directory
Prerequisite
Atlassian allows you to connect Confluence, Bitbucket and Bamboo to your Jira instance, serving a single user directory with all the users from all the directories in Jira.
Passwords locally set for users in the Jira directories are synchronized, along with a few basic attributes.
Questions
Do I need SAML SSO on all Atlassian products with the Atlassian Jira User Directory?
Yes. SAML SSO needs to be setup for each, if a password-less login experience is expected on Jira, Confluence, Bitbucket and Bamboo.
Each product is considered as a single service provider, requiring unique configurations/ entity ids on the identity provider for each, as per the concept of SAML.
Instead of continuing to use this type of directory, it is also recommended to configure Jira, Confluence, Bitbucket and Bamboo in the same way.
This allows to benefit from all the features of SAML SSO and User Sync in each of them, not creating new dependencies between them.
Logging in via SSO and your identity provider to one of the Atlassian applications will provide a session for all the others.
Should you not use Windows Integrated Authentication (WIA) or any other type of seamless authenticating, not prompting for user and password on a computer signed in to a corporate network,
you won't need to sign in on all the Atlassian applications separately.
Example: Jira, Confluence and Bitbucket with SAML SSO and Azure AD
Signing in to Jira with SSO via the Azure AD/ O365 login screens won't prompt you for your Azure AD/ O365 on the other applications again.
Could I still use the Atlassian Jira User Directory and not use SSO on Confluence, Bitbucket and Bamboo?
Yes, but this comes with the following downsides, also violating security best practices:
- Users would need to set a local password in Jira which is against the concept of managing user identities including passwords on the identity provider.
Users could set a different password locally than they have set already on the IdP. This is a potential security risk, as password policies are not enforced. - When using User Sync in Jira with this kind of setup, not all user attributes would be available on the other Atlassian applications.
Custom attributes from user profiles for instance wouldn't be available.