Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Azure AD B2C with Just-In-Time Provisioning (SAML)
After completing this setup guide, you will set up Azure AD B2C with Just-In-Time Provisioning and your Atlassian product for the SAML SSO app. Additionally, you will enable the SSO redirection and test SSO.
Azure AD B2C only supports transmitting group ids via SAML attributes, not the group names. This tutorial assumes that you manage your groups locally and not with Azure AD B2C. If you like to manage groups via Azure AD B2X and using JIT, you have to edit the manifest of the Azure enterprise application and create a transformation rule per group, which transforms the group id to a name. Please have a look at our KB for further information.
Prerequisites
To use the SAML SSO app with Azure AD B2C, you need the following:
- An Azure AD subscription
- An Azure AD B2C Tenant (please check this Microsoft article for more information)
- A Custom Policy in Azure AD B2C (check this Microsoft article)
- A (trial) subscription for the SAML SSO app
- Admin access to your Atlassian product
Step-By-Step Setup Guide
Install the SAML SSO app
In your Atlassian product, open the in-product marketplace as described in the Atlassian documentation.
Search for "resolution saml" and click "Install" for SAML Single Sign On (SSO) by resolution Reichert Network Solutions GmbH.
After the installation is complete, click Manage Apps/Addons.
Configure SAML SSO
For the next steps, please go to Manage apps (or addons), choose SAML SSO and click Configure.
First Steps - Wizard
- After you click "Configure", the Wizard will be triggered. If not, or if you want to add another Identity Prover (IdP) to your existing configuration, click on "+ Add IdP". This guide assumes, that there is no IdP configured.
The Wizard greets you with information, click on "Add new IdP" to proceed. - For the IdP Type, choose "Azure AD". You can also choose a name. Click on "Next" to continue.
- In the next step, you will configure Azure AD B2C. Please keep this tab open or copy the information.
Configure a Custom Policy in Azure AD B2C
For Azure AD B2C, SAML only works via custom policy that you need to create yourself. You can refer to the following Microsoft document for more info about that: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?msclkid=45673a56c60011ec8f8f44f115d63008&tabs=macos&pivots=b2c-custom-policy
Finishing the Configuration - Wizard
Paste the App Federation Metadata Url that was obtained before from your custom policy in Azure AD B2C.
- Click on "Import".
- Click on "Next" to continue.
- For User update, choose Update from SAML-Attributes.
The window now expands. There are various options you can set. For this tutorial, new users should be created automatically when first accessing your Atlassian product instance, thus tick "Create New Users".
You can also choose the directory for new users or to update non-SAML provisioned users, i.e. which are already present in your Atlassian product. By activating the option, they can also be updated via SAML attributes when they log in.
If your eMail Addresses are different from the Login name, you should use the attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
as the Email Attribute instead.
However, this only works for users that are Mail enabled (Exchange Online) or have this Attribute sync'd into Azure AD B2C via Directory Connect from Active Directory.
If the attribute is empty, User creation will fail.Under Group Setting, depending on your Atlassian product, it is a good idea to set (default) user group(s) for new users, such as jira-servicedesk-users for Jira SD, confluence-users for Confluence or stash-users for Bitbucket. Without assigning new users to the product specific group, they are not able to use your Atlassian product. Also, feel free to activate any option which suits your needs.
Click on Save & Next.
Testing SSO
The wizard also allows testing the Single Sign On. Just follow the steps to test if the login works as expected.
- Click on "Start test" to proceed.
- Copy the blue marked link and open a new incognito/private tab or a different web browser. Then, paste the link and navigate to it.
- You will be now redirected to Azure AD's login page. Please log-in with your username and password.
If everything worked fine, you will be logged in to your Atlassian product. In the other tab/browser in which you were configuring the SAML SSO plugin, you can see also the "SUCCESS" status, if everything worked as expected.
Click Next to proceed.
SSO Redirection
As a last step, you can set the Enable SSO Redirect option. If set, all users will be redirected to Single Sign On, thus they will be logged in via the IdP.
Click on Save & Close to finish the configuration.